From 51d1f1a277c5e762e5c263976fc8cfc8d4ba3dd2 Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Mon, 30 Aug 2021 10:58:19 +0200
Subject: [PATCH] Fixed CVE-2020-21680

Resolves: #1998306
---
 0011-CVE-2020-21680.patch | 55 +++++++++++++++++++++++++++++++++++++++
 transfig.spec             |  2 ++
 2 files changed, 57 insertions(+)
 create mode 100644 0011-CVE-2020-21680.patch

diff --git a/0011-CVE-2020-21680.patch b/0011-CVE-2020-21680.patch
new file mode 100644
index 0000000..c34bdc7
--- /dev/null
+++ b/0011-CVE-2020-21680.patch
@@ -0,0 +1,55 @@
+Subject: [PATCH] Allow arrows with zero length on arcs
+
+Use the tangent, not a secant, for short arrows on arcs.
+---
+ fig2dev/bound.c         | 9 ++++-----
+ fig2dev/tests/output.at | 8 ++++++++
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/fig2dev/bound.c b/fig2dev/bound.c
+index ce7f4d1..9e997b7 100644
+--- a/fig2dev/bound.c
++++ b/fig2dev/bound.c
+@@ -1095,16 +1095,15 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
+ 	r=sqrt(dx*dx+dy*dy);
+ 	h = (double) arrow->ht;
+ 	/* lines are made a little thinner in set_linewidth */
+-	thick = (arrow->thickness <= THICK_SCALE) ?
+-		    0.5* arrow->thickness :
+-		    arrow->thickness - THICK_SCALE;
++	thick = arrow->thickness <= THICK_SCALE ?
++		0.5 * arrow->thickness : arrow->thickness - THICK_SCALE;
+ 	/* lpt is the amount the arrowhead extends beyond the end of the line */
+ 	lpt = thick/2.0/(arrow->wid/h/2.0);
+ 	/* add this to the length */
+ 	h += lpt;
+ 
+-	/* radius too small for this method, use normal method */
+-	if (h > 2.0*r) {
++	/* secant would be too large or too small */
++	if (h > 2.0*r || h < 0.01*r) {
+ 	    arc_tangent_int(x1,y1,x2,y2,direction,x,y);
+ 	    return;
+ 	}
+diff --git a/fig2dev/tests/output.at b/fig2dev/tests/output.at
+index 79788cc..9150dbe 100644
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -175,6 +175,14 @@ AT_CHECK([fig2dev -L pict2e -P big1.fig big1.tex && \
+ ], 0, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([accept arc arrows with zero height, ticket #74])
++AT_KEYWORDS(pict2e)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++5 1 0 1 0 7 50 -1 -1 0.0 0 0 1 0 0.0 0.0 600 0 0 600 -600 0
++	1 1 1.0 60.0 0.0
++EOF], 0, ignore)
++AT_CLEANUP
+ 
+ AT_BANNER([Test svg output language.])
+ AT_SETUP([compare patterns with template])
+-- 
+2.31.1
+
diff --git a/transfig.spec b/transfig.spec
index 19f94dd..e0b2759 100644
--- a/transfig.spec
+++ b/transfig.spec
@@ -17,6 +17,7 @@ Patch7:		0007-Use-getopt-from-standard-libraries-if-available.patch
 Patch8:		0008-Replace-most-calls-to-fgets-by-getline-in-read.c.patch
 Patch9:		0009-CVE-2020-21681.patch
 Patch10:	0010-CVE-2020-21683.patch
+Patch11:	0011-CVE-2020-21680.patch
 
 Requires:	ghostscript
 Requires:	bc
@@ -72,6 +73,7 @@ mv fig2dev.1.in.new man/fig2dev.1.in
 * Mon Aug 30 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-7
 - Fixed CVE-2020-21681 (#1998350)
 - Fixed CVE-2020-21683 (#1998594)
+- Fixed CVE-2020-21680 (#1998306)
 
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.2.7b-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags