Fixed null pointer dereference in function agroot()

Resolves: CVE-2019-11023
This commit is contained in:
Jaroslav Škarvada 2019-04-24 13:17:03 +02:00
parent 1b199dfecd
commit cccd8d37a2
2 changed files with 72 additions and 1 deletions

View File

@ -0,0 +1,65 @@
--- a/cmd/tools/graphml2gv.c
+++ b/cmd/tools/graphml2gv.c
@@ -477,8 +468,10 @@
if (pos > 0) {
const char *attrname;
attrname = atts[pos];
-
- bind_node(attrname);
+ if (G == 0)
+ fprintf(stderr,"node %s outside graph, ignored\n",attrname);
+ else
+ bind_node(attrname);
pushString(&ud->elements, attrname);
}
@@ -504,21 +497,25 @@
if (tname)
head = tname;
- bind_edge(tail, head);
-
- t = AGTAIL(E);
- tname = agnameof(t);
-
- if (strcmp(tname, tail) == 0) {
- ud->edgeinverted = FALSE;
- } else if (strcmp(tname, head) == 0) {
- ud->edgeinverted = TRUE;
- }
-
- pos = get_xml_attr("id", atts);
- if (pos > 0) {
- setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
- }
+ if (G == 0)
+ fprintf(stderr,"edge source %s target %s outside graph, ignored\n",(char*)tail,(char*)head);
+ else {
+ bind_edge(tail, head);
+
+ t = AGTAIL(E);
+ tname = agnameof(t);
+
+ if (strcmp(tname, tail) == 0) {
+ ud->edgeinverted = FALSE;
+ } else if (strcmp(tname, head) == 0) {
+ ud->edgeinverted = TRUE;
+ }
+
+ pos = get_xml_attr("id", atts);
+ if (pos > 0) {
+ setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
+ }
+ }
} else {
/* must be some extension */
fprintf(stderr,
@@ -545,7 +536,7 @@
char *ele_name = topString(ud->elements);
if (ud->closedElementType == TAG_GRAPH) {
Agnode_t *node = agnode(root, ele_name, 0);
- agdelete(root, node);
+ if (node) agdelete(root, node);
}
popString(&ud->elements);
Current_class = TAG_GRAPH;

View File

@ -61,7 +61,7 @@
Name: graphviz
Summary: Graph Visualization Tools
Version: 2.40.1
Release: 44%{?dist}
Release: 45%{?dist}
License: EPL-1.0
URL: http://www.graphviz.org/
# A bit hacking needed due to: https://gitlab.com/graphviz/graphviz/issues/1371
@ -73,6 +73,7 @@ Patch2: graphviz-2.40.1-CVE-2018-10196.patch
# rhbz#1505230
Patch3: graphviz-2.40.1-dotty-menu-fix.patch
Patch4: graphviz-2.40.1-coverity-scan-fixes.patch
Patch5: graphviz-2.40.1-CVE-2019-11023.patch
BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig, sed
BuildRequires: fontconfig-devel, libtool-ltdl-devel, ruby-devel, ruby, guile-devel
@ -289,6 +290,7 @@ Various tcl packages (extensions) for the graphviz tools.
%patch2 -p1 -b .CVE-2018-10196
%patch3 -p1 -b .dotty-menu-fix
%patch4 -p1 -b .coverity-scan-fixes
%patch5 -p1 -b .CVE-2019-11023
# Attempt to fix rpmlint warnings about executable sources
find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@ -607,6 +609,10 @@ php --no-php-ini \
%{_mandir}/man3/*.3tcl*
%changelog
* Wed Apr 24 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-45
- Fixed null pointer dereference in function agroot()
Resolves: CVE-2019-11023
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.40.1-44
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild