Fixed CVE-2020-21681

Resolves: #1998350

0009-CVE-2020-21681.patch

@@ -0,0 +1,109 @@
+Subject: [PATCH] Allow DEFAULT color in cgm and ge output and fix memory leak
+ in gencgm.c
+
+---
+ fig2dev/dev/gencgm.c        |  8 +++++++-
+ fig2dev/dev/genge.c         |  7 ++++---
+ fig2dev/tests/data/line.fig |  2 +-
+ fig2dev/tests/output.at     | 10 ++++++++++
+ 4 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/fig2dev/dev/gencgm.c b/fig2dev/dev/gencgm.c
+index 6d9d9cb..0033c36 100644
+--- a/fig2dev/dev/gencgm.c
++++ b/fig2dev/dev/gencgm.c
+@@ -148,9 +148,11 @@ gencgm_start(F_compound *objects)
+ {
+   int	 i;
+   char	*p, *figname;
++  char	*figname_buf = NULL;
+ 
+   if (from) {
+-	figname = strdup(from);
++	figname_buf = strdup(from);
++	figname = figname_buf;
+ 	p = strrchr(figname, '/');
+ 	if (p)
+ 	    figname = p+1;	/* remove path from name for comment in file */
+@@ -252,6 +254,8 @@ gencgm_start(F_compound *objects)
+     print_comments("% ",objects->comments, " %");
+     fprintf(tfp,"%% %%\n");
+   }
++  if (figname_buf)
++    free(figname_buf);
+ }
+ 
+ int
+@@ -549,6 +553,8 @@ hatchindex(index)
+ static void
+ getrgb(int color, int *r, int *g, int *b)
+ {
++  if (color < 0)	/* DEFAULT color is black */
++    color = 0;
+   if (color < NUM_STD_COLS) {
+     *r = stdcols[color].r * 255.;
+     *g = stdcols[color].g * 255.;
+diff --git a/fig2dev/dev/genge.c b/fig2dev/dev/genge.c
+index 8caabf1..c2ab712 100644
+--- a/fig2dev/dev/genge.c
++++ b/fig2dev/dev/genge.c
+@@ -52,7 +52,8 @@ static void	genge_ctl_spline(F_spline *s);
+ 				    /* color mapping		*/
+ 				    /* xfig	ge		*/
+ 
+-static int	GE_COLORS[] = {	 1, /* black	black		*/
++static int	GE_COLORS[] = {  1, /* DEFAULT == black		*/
++				 1, /* black	black		*/
+ 				 8, /* blue	blue		*/
+ 				 7, /* green	green		*/
+ 				 6, /* cyan	cyan		*/
+@@ -434,7 +435,7 @@ back_arrow(F_line *l)
+ static void
+ set_color(int col)
+ {
+-	fprintf(tfp,"c%02d ",GE_COLORS[col]);
++	fprintf(tfp,"c%02d ",GE_COLORS[col + 1]);
+ }
+ 
+ /* set fill if there is a fill style */
+@@ -443,7 +444,7 @@ static void
+ set_fill(int style, int color)
+ {
+ 	if (style != UNFILLED)
+-	    fprintf(tfp,"C%02d ",GE_COLORS[color]);
++	    fprintf(tfp,"C%02d ",GE_COLORS[color + 1]);
+ }
+ 
+ /*
+diff --git a/fig2dev/tests/data/line.fig b/fig2dev/tests/data/line.fig
+index e033b12..bfc4976 100644
+--- a/fig2dev/tests/data/line.fig
++++ b/fig2dev/tests/data/line.fig
+@@ -7,5 +7,5 @@ A9
+ Single
+ -2
+ 1200 2
+-2 1 0 3 0 7 50 -1 -1 0.0 0 0 -1 0 0 3
++2 1 0 3 -1 7 50 -1 -1 0.0 0 0 -1 0 0 3
+ 50 50 500 50 500 200
+diff --git a/fig2dev/tests/output.at b/fig2dev/tests/output.at
+index 9a1bc45..79788cc 100644
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -261,3 +261,13 @@ AT_CHECK([fig2dev -L tikz -P big1.fig big1.tex && \
+ 	latex -halt-on-error big1.tex && latex -halt-on-error big2.tex
+ ], 0, ignore)
+ AT_CLEANUP
++
++AT_BANNER([Test other output languages.])
++
++AT_SETUP([allow default color in ge, cgm output, #72, #73])
++AT_KEYWORDS(cgm ge)
++AT_CHECK([fig2dev -L cgm $srcdir/data/line.fig
++], 0, ignore)
++AT_CHECK([fig2dev -L ge $srcdir/data/line.fig
++], 0, ignore)
++AT_CLEANUP
+-- 
+2.31.1
+

transfig.spec

@@ -1,6 +1,6 @@
 Name:		transfig
 Version:	3.2.7b
-Release:	6%{?dist}
+Release:	7%{?dist}
 Epoch:		1
 Summary:	Utility for converting FIG files (made by xfig) to other formats
 License:	MIT
@@ -15,6 +15,7 @@ Patch5:		0005-Correctly-scan-embedded-pdfs-for-MediaBox-value.patch
 Patch6:		0006-fig2dev-version-prints-version-information.patch
 Patch7:		0007-Use-getopt-from-standard-libraries-if-available.patch
 Patch8:		0008-Replace-most-calls-to-fgets-by-getline-in-read.c.patch
+Patch9:		0009-CVE-2020-21681.patch
 
 Requires:	ghostscript
 Requires:	bc
@@ -67,6 +68,9 @@ mv fig2dev.1.in.new man/fig2dev.1.in
 
 
 %changelog
+* Mon Aug 30 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-7
+- Fixed CVE-2020-21681 (#1998350)
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.2.7b-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688