transfig/0014-CVE-2020-21529.patch

33 lines
1013 B
Diff
Raw Normal View History

From 2397ae3bb903f59a017c8ec9db87164048b86827 Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Mon, 20 Sep 2021 08:31:22 +0200
Subject: [PATCH] Keep coordinates of spline controls within sane range
---
fig2dev/read.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fig2dev/read.c b/fig2dev/read.c
index 6e47f2d..349a685 100644
--- a/fig2dev/read.c
+++ b/fig2dev/read.c
@@ -1392,6 +1392,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
cp->next = NULL;
free_splinestorage(s);
return NULL;
+ }
+ if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX ||
+ rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) {
+ /* do not care to clean up, we exit anyway
+ cp->next = NULL;
+ free_splinestorage(s); */
+ put_msg("Spline control points out of range at line %d.",
+ *line_no);
+ exit(EXIT_FAILURE);
}
cq->lx = lx; cq->ly = ly;
cq->rx = rx; cq->ry = ry;
--
2.31.1