Fixed CVE-2020-21532

Resolves: #2006007
This commit is contained in:
Ondrej Dubaj 2021-09-21 10:39:14 +02:00
parent b9b827e082
commit 2eaab1479d
2 changed files with 136 additions and 0 deletions

134
0015-CVE-2020-21532.patch Normal file
View File

@ -0,0 +1,134 @@
From ae23821f5959ee7c6d10cf0219fad013d3469a6f Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Tue, 21 Sep 2021 10:35:53 +0200
Subject: [PATCH] Accept -1 as default TeX font, fixes ticket #81
The default for PostScript fonts is -1, for TeX fonts 0. Accepting -1 for TeX
fonts lead to out-of-bound read. Now, -1 for TeX fonts is converted to 0.
Accept -1 TeX font in more places, fixes #71, #75
Continue the work started in commit [00cded]. Fix the fundamental issue of
tickets #71 and #75, which was hidden by commit [d70e4b].
---
fig2dev/dev/genpict2e.c | 9 +++++----
fig2dev/dev/gentikz.c | 9 +++++----
fig2dev/dev/texfonts.h | 14 +++++++++-----
fig2dev/tests/read.at | 14 +++++++++++++-
4 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/fig2dev/dev/genpict2e.c b/fig2dev/dev/genpict2e.c
index 9f828f0..22daedd 100644
--- a/fig2dev/dev/genpict2e.c
+++ b/fig2dev/dev/genpict2e.c
@@ -2222,11 +2222,12 @@ put_font(F_text *t)
}
if (psfont_text(t))
- fprintf(tfp, "\\usefont%s",
- texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]);
+ fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ?
+ t->font + 1 : 0]);
else
- fprintf(tfp, "\\normalfont%s ",
- texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);
+ /* Default psfont is -1, default texfont 0, also accept -1. */
+ fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ?
+ (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]);
}
void
diff --git a/fig2dev/dev/gentikz.c b/fig2dev/dev/gentikz.c
index 96ee41c..6d8aff4 100644
--- a/fig2dev/dev/gentikz.c
+++ b/fig2dev/dev/gentikz.c
@@ -1771,11 +1771,12 @@ put_font(F_text *t)
}
if (psfont_text(t))
- fprintf(tfp, "\\usefont%s",
- texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]);
+ fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ?
+ t->font + 1 : 0]);
else
- fprintf(tfp, "\\normalfont%s ",
- texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);
+ /* Default psfont is -1, default texfont 0, also accept -1. */
+ fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ?
+ (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]);
}
/*
diff --git a/fig2dev/dev/texfonts.h b/fig2dev/dev/texfonts.h
index 89097f2..e5254b6 100644
--- a/fig2dev/dev/texfonts.h
+++ b/fig2dev/dev/texfonts.h
@@ -35,17 +35,21 @@ extern char texfontsizes[];
#define MAXFONTSIZE 42
#ifdef NFSS
-#define TEXFAMILY(F) (texfontfamily[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
-#define TEXSERIES(F) (texfontseries[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
-#define TEXSHAPE(F) (texfontshape[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
+#define TEXFAMILY(F) texfontfamily[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
+ : MAX_FONT-1]
+#define TEXSERIES(F) texfontseries[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
+ : MAX_FONT-1]
+#define TEXSHAPE(F) texfontshape[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
+ : MAX_FONT-1]
#endif
-#define TEXFONT(F) (texfontnames[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
+#define TEXFONT(F) texfontnames[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
+ : MAX_FONT-1]
/*
#define TEXFONTSIZE(S) (texfontsizes[((S) <= MAXFONTSIZE) ? (int)(round(S))\
: (MAXFONTSIZE-1)])
*/
-#define TEXFONTSIZE(S) (((S) <= MAXFONTSIZE) ? texfontsizes[(int)(round(S))] : (S))
+#define TEXFONTSIZE(S) ((S) <= MAXFONTSIZE ? texfontsizes[(int)round(S)] : (S))
#define TEXFONTMAG(T) TEXFONTSIZE(T->size*(rigid_text(T) ? 1.0 : fontmag))
void setfigfont(F_text *text); /* genepic.c */
diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
index c53fbb9..d85356b 100644
--- a/fig2dev/tests/read.at
+++ b/fig2dev/tests/read.at
@@ -406,7 +406,7 @@ EOF
])
AT_CLEANUP
-AT_SETUP([allow tex font -1, ticket #81])
+AT_SETUP([allow tex font -1, tickets #71, #75, #81])
AT_KEYWORDS([pict2e tikz])
AT_DATA([text.fig], [FIG_FILE_TOP
4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
@@ -415,6 +415,8 @@ AT_CHECK([fig2dev -L pict2e text.fig
], 0, ignore)
AT_CHECK([fig2dev -L tikz text.fig
], 0, ignore)
+AT_CHECK([fig2dev -L mp text.fig
+], 0, ignore)
AT_CLEANUP
AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
@@ -430,6 +432,16 @@ EOF
], 1, ignore, ignore)
AT_CLEANUP
+AT_SETUP([allow tex font -1, ticket #81])
+AT_DATA([text.fig], [FIG_FILE_TOP
+4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
+])
+AT_CHECK([fig2dev -L pict2e text.fig
+], 0, ignore)
+AT_CHECK([fig2dev -L tikz text.fig
+], 0, ignore)
+AT_CLEANUP
+
AT_BANNER([Dynamically allocate picture file name.])
AT_SETUP([prepend fig file path to picture file name])
--
2.31.1

View File

@ -21,6 +21,7 @@ Patch11: 0011-CVE-2020-21680.patch
Patch12: 0012-CVE-2020-21678-CVE-2020-21684.patch Patch12: 0012-CVE-2020-21678-CVE-2020-21684.patch
Patch13: 0013-CVE-2020-21676.patch Patch13: 0013-CVE-2020-21676.patch
Patch14: 0014-CVE-2020-21529.patch Patch14: 0014-CVE-2020-21529.patch
Patch15: 0015-CVE-2020-21532.patch
Requires: ghostscript Requires: ghostscript
Requires: bc Requires: bc
@ -75,6 +76,7 @@ mv fig2dev.1.in.new man/fig2dev.1.in
%changelog %changelog
* Mon Sep 20 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-8 * Mon Sep 20 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-8
- Fixed CVE-2020-21529 (#2005518) - Fixed CVE-2020-21529 (#2005518)
- Fixed CVE-2020-21532 (#2006007)
* Mon Aug 30 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-7 * Mon Aug 30 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-7
- Fixed CVE-2020-21681 (#1998350) - Fixed CVE-2020-21681 (#1998350)