Detect nan in spline control values

Resolves: RHEL-131210
2025-12-03 12:10:40 +01:00 · 2025-12-03 12:10:40 +01:00 · aeef8a279e
commit aeef8a279e
parent 579012fc44
2 changed files with 100 additions and 1 deletions
--- a/0001-CVE-2025-46397.patch
+++ b/0001-CVE-2025-46397.patch
@ -0,0 +1,94 @@
+From 99ce6e57659d98f88434c1ab25c4efc58ebee67c Mon Sep 17 00:00:00 2001
+From: Marian Koncek <mkoncek@redhat.com>
+Date: Wed, 3 Dec 2025 09:56:21 +0100
+Subject: [PATCH] CVE-2025-46397 Detect nan in spline control values.
+
+Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b661b506a463a669754ed635b0a8eb67580e/
+---
+ fig2dev/read.c                 | 28 ++++++++++++++++++++++++++++
+ fig2dev/tests/read_sanitize.at | 19 +++++++++++++++++++
+ 2 files changed, 47 insertions(+)
+
+diff --git a/fig2dev/read.c b/fig2dev/read.c
+index be9f62c..aa3fa12 100644
+--- a/fig2dev/read.c
+++ b/fig2dev/read.c
+@@ -29,6 +29,7 @@
+ #endif
+ 
+ #include <stdio.h>
+#include <math.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <strings.h>
+@@ -1160,6 +1161,19 @@ read_splineobject(FILE *fp)
+ 	    free_splinestorage(s);
+ 	    return NULL;
+ 	    }
+	if (!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
+		!isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
+		!isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
+		!isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
+	{
+	    /* clean up, to pass test "reject huge spline controls
+	       values" when -fsanitize=address is enabled */
+	    cp->next = NULL;
+	    free_splinestorage(s);
+	    put_msg("Spline control points out of range "
+		    "at line %d.", line_no);
+	    exit(EXIT_FAILURE);
+	}
+ 	cp->lx = lx; cp->ly = ly;
+ 	cp->rx = rx; cp->ry = ry;
+ 	while (--c) {
+@@ -1177,6 +1191,20 @@ read_splineobject(FILE *fp)
+ 		free_splinestorage(s);
+ 		return NULL;
+ 		}
+	    if (!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
+		!isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
+		!isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
+		!isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
+	    {
+		/* clean up, to pass test "reject huge spline controls
+		   values" when -fsanitize=address is enabled */
+		cp->next = NULL;
+		free_splinestorage(s);
+		free(cq);
+		put_msg("Spline control points out of range "
+			"at line %d.", line_no);
+		exit(EXIT_FAILURE);
+	    }
+ 	    cq->lx = lx; cq->ly = ly;
+ 	    cq->rx = rx; cq->ry = ry;
+ 	    cp->next = cq;
+diff --git a/fig2dev/tests/read_sanitize.at b/fig2dev/tests/read_sanitize.at
+index dc7508e..ccc8550 100644
+--- a/fig2dev/tests/read_sanitize.at
+++ b/fig2dev/tests/read_sanitize.at
+@@ -115,3 +115,22 @@ EOF
+ A single point with a backward arrow - remove the arrow.
+ ])
+ AT_CLEANUP
+
+AT_SETUP([reject nan in spline controls values, #192])
+AT_KEYWORDS([read.c])
+# Use an output language that does not natively support Bezier splines.
+# Otherwise, the huge values are simply copied to the output.
+AT_CHECK([fig2dev -L epic <<EOF
+#FIG 3.1
+Landscape
+Center
+Metric
+1200 2
+3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2
+	 0 0 1200 0
+	 600 600 600 nan
+	 600 600 600 600
+EOF
+], 1, ignore, [Spline control points out of range at line 8.
+])
+AT_CLEANUP
+-- 
+2.51.1
+
--- a/transfig.spec
+++ b/transfig.spec
@ -1,12 +1,13 @@
 Name:		transfig
 Version:	3.2.6a
-Release:	4%{?dist}
+Release:	5%{?dist}
 Epoch:		1
 Summary:	Utility for converting FIG files (made by xfig) to other formats
 License:	MIT
 URL:		https://sourceforge.net/projects/mcj/
 Source0:	http://downloads.sourceforge.net/mcj/fig2dev-%{version}.tar.xz
 Patch1:         fig2dev-3.2.6a-CVE-2017-16899.patch
+Patch2:         0001-CVE-2025-46397.patch

 Requires:	ghostscript
 Requires:	bc
@ -48,6 +49,10 @@ make %{?_smp_mflags}
 %{_mandir}/man1/*.1.gz

 %changelog
+* Wed Dec 03 2025 Marian Koncek <mkoncek@redhat.com> - 1:3.2.6a-5
+- Detect nan in spline control values
+- Fix for CVE-2025-46397
+
 * Mon Jul 16 2018 Honza Horak <hhorak@redhat.com> - 1:3.2.6a-4
 - Remove license GPLv3+