import transfig-3.2.7b-10.el9

SOURCES/0009-CVE-2020-21681-CVE-2020-21682.patch

@@ -0,0 +1,109 @@
+Subject: [PATCH] Allow DEFAULT color in cgm and ge output and fix memory leak
+ in gencgm.c
+
+---
+ fig2dev/dev/gencgm.c        |  8 +++++++-
+ fig2dev/dev/genge.c         |  7 ++++---
+ fig2dev/tests/data/line.fig |  2 +-
+ fig2dev/tests/output.at     | 10 ++++++++++
+ 4 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/fig2dev/dev/gencgm.c b/fig2dev/dev/gencgm.c
+index 6d9d9cb..0033c36 100644
+--- a/fig2dev/dev/gencgm.c
++++ b/fig2dev/dev/gencgm.c
+@@ -148,9 +148,11 @@ gencgm_start(F_compound *objects)
+ {
+   int	 i;
+   char	*p, *figname;
++  char	*figname_buf = NULL;
+ 
+   if (from) {
+-	figname = strdup(from);
++	figname_buf = strdup(from);
++	figname = figname_buf;
+ 	p = strrchr(figname, '/');
+ 	if (p)
+ 	    figname = p+1;	/* remove path from name for comment in file */
+@@ -252,6 +254,8 @@ gencgm_start(F_compound *objects)
+     print_comments("% ",objects->comments, " %");
+     fprintf(tfp,"%% %%\n");
+   }
++  if (figname_buf)
++    free(figname_buf);
+ }
+ 
+ int
+@@ -549,6 +553,8 @@ hatchindex(index)
+ static void
+ getrgb(int color, int *r, int *g, int *b)
+ {
++  if (color < 0)	/* DEFAULT color is black */
++    color = 0;
+   if (color < NUM_STD_COLS) {
+     *r = stdcols[color].r * 255.;
+     *g = stdcols[color].g * 255.;
+diff --git a/fig2dev/dev/genge.c b/fig2dev/dev/genge.c
+index 8caabf1..c2ab712 100644
+--- a/fig2dev/dev/genge.c
++++ b/fig2dev/dev/genge.c
+@@ -52,7 +52,8 @@ static void	genge_ctl_spline(F_spline *s);
+ 				    /* color mapping		*/
+ 				    /* xfig	ge		*/
+ 
+-static int	GE_COLORS[] = {	 1, /* black	black		*/
++static int	GE_COLORS[] = {  1, /* DEFAULT == black		*/
++				 1, /* black	black		*/
+ 				 8, /* blue	blue		*/
+ 				 7, /* green	green		*/
+ 				 6, /* cyan	cyan		*/
+@@ -434,7 +435,7 @@ back_arrow(F_line *l)
+ static void
+ set_color(int col)
+ {
+-	fprintf(tfp,"c%02d ",GE_COLORS[col]);
++	fprintf(tfp,"c%02d ",GE_COLORS[col + 1]);
+ }
+ 
+ /* set fill if there is a fill style */
+@@ -443,7 +444,7 @@ static void
+ set_fill(int style, int color)
+ {
+ 	if (style != UNFILLED)
+-	    fprintf(tfp,"C%02d ",GE_COLORS[color]);
++	    fprintf(tfp,"C%02d ",GE_COLORS[color + 1]);
+ }
+ 
+ /*
+diff --git a/fig2dev/tests/data/line.fig b/fig2dev/tests/data/line.fig
+index e033b12..bfc4976 100644
+--- a/fig2dev/tests/data/line.fig
++++ b/fig2dev/tests/data/line.fig
+@@ -7,5 +7,5 @@ A9
+ Single
+ -2
+ 1200 2
+-2 1 0 3 0 7 50 -1 -1 0.0 0 0 -1 0 0 3
++2 1 0 3 -1 7 50 -1 -1 0.0 0 0 -1 0 0 3
+ 50 50 500 50 500 200
+diff --git a/fig2dev/tests/output.at b/fig2dev/tests/output.at
+index 9a1bc45..79788cc 100644
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -261,3 +261,13 @@ AT_CHECK([fig2dev -L tikz -P big1.fig big1.tex && \
+ 	latex -halt-on-error big1.tex && latex -halt-on-error big2.tex
+ ], 0, ignore)
+ AT_CLEANUP
++
++AT_BANNER([Test other output languages.])
++
++AT_SETUP([allow default color in ge, cgm output, #72, #73])
++AT_KEYWORDS(cgm ge)
++AT_CHECK([fig2dev -L cgm $srcdir/data/line.fig
++], 0, ignore)
++AT_CHECK([fig2dev -L ge $srcdir/data/line.fig
++], 0, ignore)
++AT_CLEANUP
+-- 
+2.31.1
+

SOURCES/0010-CVE-2020-21683.patch

@@ -0,0 +1,25 @@
+Subject: [PATCH] Fix pstricks fill with non-solid default color
+
+In the pstricks output, filling an area with the shaded or tinted default color
+is now equivalent to filling with shaded or tinted black color.
+---
+ fig2dev/dev/genpstricks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fig2dev/dev/genpstricks.c b/fig2dev/dev/genpstricks.c
+index cf49207..40ea577 100644
+--- a/fig2dev/dev/genpstricks.c
++++ b/fig2dev/dev/genpstricks.c
+@@ -1856,7 +1856,8 @@ format_options(char *options, char *prefix, char *postfix, char *sqrb_init,
+     else if (fill_style <= 40)
+       /* shade or tint fill */
+       sprintf(tmps, "fillstyle=solid,fillcolor=%s",
+-	      shade_or_tint_name_after_declare_color(tmpc, fill_style, fill_color));
++	      shade_or_tint_name_after_declare_color(tmpc, fill_style,
++		      fill_color == DEFAULT ? CT_BLACK : fill_color));
+     else {
+       char *type = 0, *ps;
+       int angle = 0;
+-- 
+2.31.1
+

SOURCES/0011-CVE-2020-21680.patch

@@ -0,0 +1,55 @@
+Subject: [PATCH] Allow arrows with zero length on arcs
+
+Use the tangent, not a secant, for short arrows on arcs.
+---
+ fig2dev/bound.c         | 9 ++++-----
+ fig2dev/tests/output.at | 8 ++++++++
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/fig2dev/bound.c b/fig2dev/bound.c
+index ce7f4d1..9e997b7 100644
+--- a/fig2dev/bound.c
++++ b/fig2dev/bound.c
+@@ -1095,16 +1095,15 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
+ 	r=sqrt(dx*dx+dy*dy);
+ 	h = (double) arrow->ht;
+ 	/* lines are made a little thinner in set_linewidth */
+-	thick = (arrow->thickness <= THICK_SCALE) ?
+-		    0.5* arrow->thickness :
+-		    arrow->thickness - THICK_SCALE;
++	thick = arrow->thickness <= THICK_SCALE ?
++		0.5 * arrow->thickness : arrow->thickness - THICK_SCALE;
+ 	/* lpt is the amount the arrowhead extends beyond the end of the line */
+ 	lpt = thick/2.0/(arrow->wid/h/2.0);
+ 	/* add this to the length */
+ 	h += lpt;
+ 
+-	/* radius too small for this method, use normal method */
+-	if (h > 2.0*r) {
++	/* secant would be too large or too small */
++	if (h > 2.0*r || h < 0.01*r) {
+ 	    arc_tangent_int(x1,y1,x2,y2,direction,x,y);
+ 	    return;
+ 	}
+diff --git a/fig2dev/tests/output.at b/fig2dev/tests/output.at
+index 79788cc..9150dbe 100644
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -175,6 +175,14 @@ AT_CHECK([fig2dev -L pict2e -P big1.fig big1.tex && \
+ ], 0, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([accept arc arrows with zero height, ticket #74])
++AT_KEYWORDS(pict2e)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++5 1 0 1 0 7 50 -1 -1 0.0 0 0 1 0 0.0 0.0 600 0 0 600 -600 0
++	1 1 1.0 60.0 0.0
++EOF], 0, ignore)
++AT_CLEANUP
+ 
+ AT_BANNER([Test svg output language.])
+ AT_SETUP([compare patterns with template])
+-- 
+2.31.1
+

SOURCES/0012-CVE-2020-21678-CVE-2020-21684.patch

@@ -0,0 +1,134 @@
+From 8e7bcd6952535163a919e1f6891b44521ba86a8d Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Fri, 3 Sep 2021 08:15:34 +0200
+Subject: [PATCH] Reject ASCII NUL anywhere in the input
+
+The input is read in line by line, stored in a buffer and processed further
+with sscanf(). Embedded NUL characters ('\0') would already disturb sscanf(),
+and nowhere does the code expect NUL characters. Therefore, detect NUL while
+reading the input, and exit with an error message when NUL is found anywere.
+Fixes ticket #80.
+---
+ CHANGES                              |   4 ++++
+ fig2dev/read.c                       |  21 +++++++++++++++++++--
+ fig2dev/tests/data/text_w_ascii0.fig |  12 ++++++++++++
+ fig2dev/tests/read.at                |  16 ++++++++++++++++
+ 4 files changed, 51 insertions(+), 2 deletions(-)
+ create mode 100644 fig2dev/tests/data/text_w_ascii0.fig
+
+diff --git a/CHANGES b/CHANGES
+index 4a414fa..f1bbbc3 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -6,6 +6,10 @@ Patchlevel Xx (Xxx 20xx)
+ 
+ BUGS FIXED:
+ 	Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
++	o Fix ticket #81.
++	o Do not allow ASCII NUL anywhere in input. Fixes ticket #80.
++	o Use getline() to improve input scanning.
++	  Fixes tickets #58, #59, #61, #62, #67, #78, #79.
+ 	o Correctly scan embedded pdfs for /MediaBox value.
+ 	o Convert polygons having too few points to polylines. Ticket #56.
+ 	o Reject huge arrow types causing integer overflow. Ticket #57.
+diff --git a/fig2dev/read.c b/fig2dev/read.c
+index aea9537..6e47f2d 100644
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -200,8 +200,14 @@ read_objects(FILE *fp, F_compound *obj)
+ 		put_msg("Could not read input file.");
+ 		return -1;
+ 	}
+-	/* seek to the end of the first line */
+-	if (strchr(buf, '\n') == NULL) {
++
++	/* check for embedded '\0' */
++	if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
++		put_msg("ASCII NUL ('\\0') character within the first line.");
++		exit(EXIT_FAILURE);
++	/* seek to the end of the first line
++	   (the only place, where '\0's are tolerated) */
++	} else if (buf[strlen(buf) - 1] != '\n') {
+ 		int	c;
+ 		do
+ 			c = fgetc(fp);
+@@ -1399,6 +1405,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
+ 	return s;
+ }
+ 
++static void
++exit_on_ascii_NUL(const char *restrict line, size_t chars, int line_no)
++{
++	if (strlen(line) < (size_t)chars) {
++		put_msg("ASCII NUL ('\\0') in line %d.", line_no);
++		exit(EXIT_FAILURE);
++	}
++}
++
+ static char *
+ find_end(const char *str, int v30flag)
+ {
+@@ -1470,6 +1485,7 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
+ 
+ 		while ((chars = getline(line, line_len, fp)) != -1) {
+ 			++(*line_no);
++			exit_on_ascii_NUL(*line, chars, *line_no);
+ 			end = find_end(*line, v30_flag);
+ 			if (end) {
+ 				*end = '\0';
+@@ -1641,6 +1657,7 @@ get_line(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
+ 		if (**line == '\n' || (**line == '\r' &&
+ 					chars == 2 && (*line)[1] == '\n'))
+ 			continue;
++		exit_on_ascii_NUL(*line, chars, *line_no);
+ 		/* remove newline and possibly a carriage return */
+ 		if ((*line)[chars-1] == '\n') {
+ 			chars -= (*line)[chars - 2] == '\r' ? 2 : 1;
+diff --git a/fig2dev/tests/data/text_w_ascii0.fig b/fig2dev/tests/data/text_w_ascii0.fig
+new file mode 100644
+index 0000000..c0aa754
+--- /dev/null
++++ b/fig2dev/tests/data/text_w_ascii0.fig
+@@ -0,0 +1,12 @@
++#FIG 3.2
++Landscape
++Center
++Inches
++Letter
++100.00
++Single
++-2
++1200 2
++4 0 0 2 0 25 163 31 7 0  0 -1 1 0 2
++ 0& 4 120 5 y\  0 0 0^^^^^J^^^^^<U+0080>ÿÿ^^^^^^^^^^^^^^^^^^^^^^45 E\0I1y\001
++#4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 An ascii zero '\\0' here ->...and some more text following, with a certain amount of minimum characters\001
+diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
+index 9b34bfb..60982b0 100644
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -406,6 +406,22 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([allow tex font -1, ticket #81])
++AT_KEYWORDS([pict2e tikz])
++AT_DATA([text.fig], [FIG_FILE_TOP
++4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
++])
++AT_CHECK([fig2dev -L pict2e text.fig
++], 0, ignore)
++AT_CHECK([fig2dev -L tikz text.fig
++], 0, ignore)
++AT_CLEANUP
++
++AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
++AT_KEYWORDS([read.c svg])
++AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])
+-- 
+2.31.1
+

SOURCES/0013-CVE-2020-21676.patch

@@ -0,0 +1,83 @@
+From 180cf468f8999cfb7245bac5b3be447aefa6c852 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Fri, 3 Sep 2021 08:24:19 +0200
+Subject: [PATCH] Reject text or ellipse angles beyond -2pi to 2pi, #76
+
+In fact, generously extend the allowed range to -7 to 7.
+Sane applications, e.g., xfig, certainly keep the angles within one revolution.
+---
+ CHANGES               | 5 +++--
+ fig2dev/object.h      | 7 ++++---
+ fig2dev/tests/read.at | 8 ++++++++
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index f1bbbc3..52daead 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -6,8 +6,9 @@ Patchlevel Xx (Xxx 20xx)
+ 
+ BUGS FIXED:
+ 	Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
+-	o Fix ticket #81.
+-	o Do not allow ASCII NUL anywhere in input. Fixes ticket #80.
++	o Accept text and ellipse angles only within -2*pi to 2*pi. Fixes #76.
++	o Allow -1 as default TeX font, not only 0. Fixes #71, #75, #81.
++	o Do not allow ASCII NUL anywhere in input. Fixes #65, #68, #73, #80.
+ 	o Use getline() to improve input scanning.
+ 	  Fixes tickets #58, #59, #61, #62, #67, #78, #79.
+ 	o Correctly scan embedded pdfs for /MediaBox value.
+diff --git a/fig2dev/object.h b/fig2dev/object.h
+index fe56bbb..8464010 100644
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2019 by Thomas Loimer
++ * Parts Copyright (c) 2015-2020 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -94,7 +94,8 @@ typedef struct f_ellipse {
+ #define INVALID_ELLIPSE(e)	\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+ 	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
+-	e->radiuses.x == 0 || e->radiuses.y == 0
++	e->radiuses.x == 0 || e->radiuses.y == 0 || \
++	e->angle < -7. || e->angle > 7.
+ 
+ typedef struct f_arc {
+ 	int			type;
+@@ -243,7 +244,7 @@ typedef struct f_text {
+ 	t->type < T_LEFT_JUSTIFIED || t->type > T_RIGHT_JUSTIFIED ||	\
+ 	t->font < DEFAULT || t->font > MAX_PSFONT ||			\
+ 	t->flags < DEFAULT || t->flags >= 2 * HIDDEN_TEXT ||		\
+-	t->height < 0 || t->length < 0
++	t->height < 0 || t->length < 0 || t->angle < -7. || t->angle > 7.
+ 
+ typedef struct f_control {
+ 	double			lx, ly, rx, ry;	/* used by older versions*/
+diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
+index 60982b0..c53fbb9 100644
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -422,6 +422,14 @@ AT_KEYWORDS([read.c svg])
+ AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([reject out of range text angle, ticket #76])
++AT_CHECK([fig2dev -L pstricks <<EOF
++FIG_FILE_TOP
++4 0 0 50 -1 -1 12 9e26 0 150 405 0 0 Very slanted text\001
++EOF
++], 1, ignore, ignore)
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])
+-- 
+2.31.1
+

SOURCES/0014-CVE-2020-21529.patch

@@ -0,0 +1,32 @@
+From 2397ae3bb903f59a017c8ec9db87164048b86827 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Mon, 20 Sep 2021 08:31:22 +0200
+Subject: [PATCH] Keep coordinates of spline controls within sane range
+
+---
+ fig2dev/read.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fig2dev/read.c b/fig2dev/read.c
+index 6e47f2d..349a685 100644
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -1392,6 +1392,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
+ 		cp->next = NULL;
+ 		free_splinestorage(s);
+ 		return NULL;
++	    }
++		if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX ||
++		rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) {
++		    /* do not care to clean up, we exit anyway
++		       cp->next = NULL;
++		       free_splinestorage(s);	*/
++		    put_msg("Spline control points out of range at line %d.",
++				    *line_no);
++		    exit(EXIT_FAILURE);
+ 	    }
+ 	    cq->lx = lx; cq->ly = ly;
+ 	    cq->rx = rx; cq->ry = ry;
+-- 
+2.31.1
+

SOURCES/0015-CVE-2020-21532.patch

@@ -0,0 +1,134 @@
+From ae23821f5959ee7c6d10cf0219fad013d3469a6f Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Tue, 21 Sep 2021 10:35:53 +0200
+Subject: [PATCH] Accept -1 as default TeX font, fixes ticket #81
+
+The default for PostScript fonts is -1, for TeX fonts 0. Accepting -1 for TeX
+fonts lead to out-of-bound read. Now, -1 for TeX fonts is converted to 0.
+
+Accept -1 TeX font in more places, fixes #71, #75
+
+Continue the work started in commit [00cded]. Fix the fundamental issue of
+tickets #71 and #75, which was hidden by commit [d70e4b].
+---
+ fig2dev/dev/genpict2e.c |  9 +++++----
+ fig2dev/dev/gentikz.c   |  9 +++++----
+ fig2dev/dev/texfonts.h  | 14 +++++++++-----
+ fig2dev/tests/read.at   | 14 +++++++++++++-
+ 4 files changed, 32 insertions(+), 14 deletions(-)
+
+diff --git a/fig2dev/dev/genpict2e.c b/fig2dev/dev/genpict2e.c
+index 9f828f0..22daedd 100644
+--- a/fig2dev/dev/genpict2e.c
++++ b/fig2dev/dev/genpict2e.c
+@@ -2222,11 +2222,12 @@ put_font(F_text *t)
+ 	}
+ 
+ 	if (psfont_text(t))
+-	    fprintf(tfp, "\\usefont%s",
+-		    texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]);
++	    fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ?
++				t->font + 1 : 0]);
+ 	else
+-	    fprintf(tfp, "\\normalfont%s ",
+-		    texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);
++	    /* Default psfont is -1, default texfont 0, also accept -1. */
++		fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ?
++				(t->font >= 0 ? t->font : 0) : MAX_FONT - 1]);
+ }
+ 
+ void
+diff --git a/fig2dev/dev/gentikz.c b/fig2dev/dev/gentikz.c
+index 96ee41c..6d8aff4 100644
+--- a/fig2dev/dev/gentikz.c
++++ b/fig2dev/dev/gentikz.c
+@@ -1771,11 +1771,12 @@ put_font(F_text *t)
+ 	}
+ 
+ 	if (psfont_text(t))
+-	    fprintf(tfp, "\\usefont%s",
+-		    texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]);
++	    fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ?
++				t->font + 1 : 0]);
+ 	else
+-	    fprintf(tfp, "\\normalfont%s ",
+-		    texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);
++	    /* Default psfont is -1, default texfont 0, also accept -1. */
++		fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ?
++			    (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]);
+ }
+ 
+ /*
+diff --git a/fig2dev/dev/texfonts.h b/fig2dev/dev/texfonts.h
+index 89097f2..e5254b6 100644
+--- a/fig2dev/dev/texfonts.h
++++ b/fig2dev/dev/texfonts.h
+@@ -35,17 +35,21 @@ extern char		texfontsizes[];
+ #define MAXFONTSIZE	42
+ 
+ #ifdef NFSS
+-#define TEXFAMILY(F)	(texfontfamily[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
+-#define TEXSERIES(F)	(texfontseries[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
+-#define TEXSHAPE(F)	(texfontshape[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
++#define TEXFAMILY(F)	texfontfamily[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
++						: MAX_FONT-1]
++#define TEXSERIES(F)	texfontseries[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
++						: MAX_FONT-1]
++#define TEXSHAPE(F)	texfontshape[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
++						: MAX_FONT-1]
+ #endif
+-#define TEXFONT(F)	(texfontnames[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
++#define TEXFONT(F)	texfontnames[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
++						: MAX_FONT-1]
+ 
+ /*
+ #define TEXFONTSIZE(S)	(texfontsizes[((S) <= MAXFONTSIZE) ? (int)(round(S))\
+ 							: (MAXFONTSIZE-1)])
+ */
+-#define TEXFONTSIZE(S)	(((S) <= MAXFONTSIZE) ? texfontsizes[(int)(round(S))] : (S))
++#define TEXFONTSIZE(S)	((S) <= MAXFONTSIZE ? texfontsizes[(int)round(S)] : (S))
+ #define TEXFONTMAG(T)	TEXFONTSIZE(T->size*(rigid_text(T) ? 1.0 : fontmag))
+ 
+ void setfigfont(F_text *text);		/* genepic.c */
+diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
+index c53fbb9..d85356b 100644
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -406,7 +406,7 @@ EOF
+ ])
+ AT_CLEANUP
+ 
+-AT_SETUP([allow tex font -1, ticket #81])
++AT_SETUP([allow tex font -1, tickets #71, #75, #81])
+ AT_KEYWORDS([pict2e tikz])
+ AT_DATA([text.fig], [FIG_FILE_TOP
+ 4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
+@@ -415,6 +415,8 @@ AT_CHECK([fig2dev -L pict2e text.fig
+ ], 0, ignore)
+ AT_CHECK([fig2dev -L tikz text.fig
+ ], 0, ignore)
++AT_CHECK([fig2dev -L mp text.fig
++], 0, ignore)
+ AT_CLEANUP
+ 
+ AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
+@@ -430,6 +432,16 @@ EOF
+ ], 1, ignore, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([allow tex font -1, ticket #81])
++AT_DATA([text.fig], [FIG_FILE_TOP
++4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
++])
++AT_CHECK([fig2dev -L pict2e text.fig
++], 0, ignore)
++AT_CHECK([fig2dev -L tikz text.fig
++], 0, ignore)
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])
+-- 
+2.31.1
+

SOURCES/0016-CVE-2020-21531.patch

@@ -0,0 +1,63 @@
+From d50ae523fcee5c2d4357bbd8ce5baeeb18d15a2c Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Tue, 21 Sep 2021 10:42:50 +0200
+Subject: [PATCH] Reject out-of-range pattern
+
+---
+ fig2dev/object.h      |  2 +-
+ fig2dev/tests/read.at | 19 +++++++++++++++++--
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/fig2dev/object.h b/fig2dev/object.h
+index 8464010..6830b13 100644
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -61,7 +61,7 @@ typedef struct f_comment {
+ 	o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE ||		\
+ 	o->thickness < 0 || o->depth < 0 || o->depth > 999 || 		\
+ 	o->fill_style < UNFILLED ||					\
+-	o->fill_style > NUMSHADES + NUMTINTS + NUMPATTERNS ||		\
++	o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS ||		\
+ 	o->style_val < 0.0
+ 
+ typedef struct f_ellipse {
+diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
+index d85356b..7765805 100644
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -421,15 +421,30 @@ AT_CLEANUP
+ 
+ AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
+ AT_KEYWORDS([read.c svg])
+-AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
++AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig],
++1, ignore, [ASCII NUL ('\0') in line 11.
++])
+ AT_CLEANUP
+ 
+ AT_SETUP([reject out of range text angle, ticket #76])
++AT_KEYWORDS([read.c pstricks])
+ AT_CHECK([fig2dev -L pstricks <<EOF
+ FIG_FILE_TOP
+ 4 0 0 50 -1 -1 12 9e26 0 150 405 0 0 Very slanted text\001
+ EOF
+-], 1, ignore, ignore)
++], 1, ignore, [Invalid text object at line 10.
++])
++AT_CLEANUP
++
++AT_SETUP([reject out-of-range pattern fills, ticket #63])
++AT_KEYWORDS([read.c cgm])
++AT_CHECK([fig2dev -L cgm <<EOF
++FIG_FILE_TOP
++2 3 0 0 0 7 50 -1 63 0.000 0 0 -1 0 0 4
++	 0 0 1200 0 600 800 0 0
++EOF
++], 1, ignore, [Invalid line object at line 10.
++])
+ AT_CLEANUP
+ 
+ AT_SETUP([allow tex font -1, ticket #81])
+-- 
+2.31.1
+

SOURCES/0017-CVE-2021-32280.patch

@@ -0,0 +1,29 @@
+From fa5a2dced5cad973c3a9c9e83f21165942f1cd6d Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Thu, 23 Sep 2021 09:49:37 +0200
+Subject: [PATCH] Do not crash on incomplete, closed splines
+
+---
+ fig2dev/trans_spline.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fig2dev/trans_spline.c b/fig2dev/trans_spline.c
+index 0905c79..60c54ad 100644
+--- a/fig2dev/trans_spline.c
++++ b/fig2dev/trans_spline.c
+@@ -226,6 +226,12 @@ compute_closed_spline(F_spline *spline, float precision)
+   if (!init_point_array(300, 200))
+       return NULL;
+ 
++  if (!(spline->points /* p0 */ && spline->controls /* s0 */ &&
++  spline->points->next /* p1 */ && spline->controls->next /* s1 */ &&
++  spline->points->next->next && spline->controls->next->next/* p2, s2 */&&
++  spline->points->next->next->next && spline->controls->next->next->next))
++       return NULL;
++
+   INIT_CONTROL_POINTS(spline, p0, s0, p1, s1, p2, s2, p3, s3);
+   COPY_CONTROL_POINT(first, s_first, p0, s0);
+ 
+-- 
+2.31.1
+

SOURCES/0018-exit-no-args.patch

@@ -0,0 +1,39 @@
+Subject: [PATCH] Exit correctly when invoked without arguments
+https://sourceforge.net/p/mcj/fig2dev/ci/11fba42e388ff7d92f81518406429bdea0a6a3b3
+
+---
+ fig2dev/fig2dev.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fig2dev/fig2dev.c b/fig2dev/fig2dev.c
+index 62ec099..949671e 100644
+--- a/fig2dev/fig2dev.c
++++ b/fig2dev/fig2dev.c
+@@ -161,9 +161,9 @@ static struct depth_opts {
+ 
+ static char	Usage[] =
+ #ifdef I18N
+-"Usage:\n %s -hV\n %s -L language [-s size] [-m scale] [-j] [input [output]]\n";
++"Usage:\n %1$s -hV\n %1$s -L language [-s size] [-m scale] [-j] [input [output]]\n";
+ #else
+-    "Usage:\n %s -hV\n %s -L language [-s size] [-m scale] [input [output]]\n";
++    "Usage:\n %1$s -hV\n %1$s -L language [-s size] [-m scale] [input [output]]\n";
+ #endif
+ 
+ static int	 parse_gridspec(char *string, float *numer, float *denom,
+@@ -218,8 +218,10 @@ get_args(int argc, char *argv[])
+ 	char	*grid, *p;
+ 	float	 numer, denom;
+ 
+-	if (argc == 1)
+-	    fprintf(stderr, Usage, prog, prog);
++	if (argc == 1) {
++		fprintf(stderr, Usage, prog);
++		exit(EXIT_SUCCESS);
++	}
+ 
+ 	/* print the version, for the comfort of the autotest tests */
+ 	if (!strcmp(argv[1], "--version")) {
+-- 
+2.31.1
+

SPECS/transfig.spec

@@ -1,6 +1,6 @@
 Name:		transfig
 Version:	3.2.7b
-Release:	6%{?dist}
+Release:	10%{?dist}
 Epoch:		1
 Summary:	Utility for converting FIG files (made by xfig) to other formats
 License:	MIT
@@ -15,6 +15,16 @@ Patch5:		0005-Correctly-scan-embedded-pdfs-for-MediaBox-value.patch
 Patch6:		0006-fig2dev-version-prints-version-information.patch
 Patch7:		0007-Use-getopt-from-standard-libraries-if-available.patch
 Patch8:		0008-Replace-most-calls-to-fgets-by-getline-in-read.c.patch
+Patch9:		0009-CVE-2020-21681-CVE-2020-21682.patch
+Patch10:	0010-CVE-2020-21683.patch
+Patch11:	0011-CVE-2020-21680.patch
+Patch12:  0012-CVE-2020-21678-CVE-2020-21684.patch
+Patch13:  0013-CVE-2020-21676.patch
+Patch14:  0014-CVE-2020-21529.patch
+Patch15:  0015-CVE-2020-21532.patch
+Patch16:  0016-CVE-2020-21531.patch
+Patch17:  0017-CVE-2021-32280.patch
+Patch18:  0018-exit-no-args.patch
 
 Requires:	ghostscript
 Requires:	bc
@@ -67,6 +77,26 @@ mv fig2dev.1.in.new man/fig2dev.1.in
 
 
 %changelog
+* Mon Oct 18 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-10
+- Exit correctly when invoked without arguments (#2015001)
+
+* Thu Sep 23 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-9
+- Fixed CVE-2021-32280 (#2006830)
+
+* Mon Sep 20 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-8
+- Fixed CVE-2020-21529 (#2005518)
+- Fixed CVE-2020-21532 (#2006007)
+- Fixed CVE-2020-21531 (#2006002)
+
+* Mon Aug 30 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-7
+- Fixed CVE-2020-21681 (#1998350)
+- Fixed CVE-2020-21683 (#1998594)
+- Fixed CVE-2020-21680 (#1998306)
+- Fixed CVE-2020-21684 (#2000747)
+- Fixed CVE-2020-21678 (#2000741)
+- Fixed CVE-2020-21676 (#2000751)
+- Fixed CVE-2020-21682 (#2000738)
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.2.7b-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688