From aeef8a279e000d170bbe9e6f3003b808b2dbd48f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mari=C3=A1n=20Kon=C4=8Dek?= Date: Wed, 3 Dec 2025 12:10:40 +0100 Subject: [PATCH] Detect nan in spline control values Resolves: RHEL-131210 --- 0001-CVE-2025-46397.patch | 94 +++++++++++++++++++++++++++++++++++++++ transfig.spec | 7 ++- 2 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 0001-CVE-2025-46397.patch diff --git a/0001-CVE-2025-46397.patch b/0001-CVE-2025-46397.patch new file mode 100644 index 0000000..89d0261 --- /dev/null +++ b/0001-CVE-2025-46397.patch @@ -0,0 +1,94 @@ +From 99ce6e57659d98f88434c1ab25c4efc58ebee67c Mon Sep 17 00:00:00 2001 +From: Marian Koncek +Date: Wed, 3 Dec 2025 09:56:21 +0100 +Subject: [PATCH] CVE-2025-46397 Detect nan in spline control values. + +Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b661b506a463a669754ed635b0a8eb67580e/ +--- + fig2dev/read.c | 28 ++++++++++++++++++++++++++++ + fig2dev/tests/read_sanitize.at | 19 +++++++++++++++++++ + 2 files changed, 47 insertions(+) + +diff --git a/fig2dev/read.c b/fig2dev/read.c +index be9f62c..aa3fa12 100644 +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -29,6 +29,7 @@ + #endif + + #include ++#include + #include + #include + #include +@@ -1160,6 +1161,19 @@ read_splineobject(FILE *fp) + free_splinestorage(s); + return NULL; + } ++ if (!isfinite(lx) || lx < INT_MIN || lx > INT_MAX || ++ !isfinite(ly) || ly < INT_MIN || ly > INT_MAX || ++ !isfinite(rx) || rx < INT_MIN || rx > INT_MAX || ++ !isfinite(ry) || ry < INT_MIN || ry > INT_MAX) ++ { ++ /* clean up, to pass test "reject huge spline controls ++ values" when -fsanitize=address is enabled */ ++ cp->next = NULL; ++ free_splinestorage(s); ++ put_msg("Spline control points out of range " ++ "at line %d.", line_no); ++ exit(EXIT_FAILURE); ++ } + cp->lx = lx; cp->ly = ly; + cp->rx = rx; cp->ry = ry; + while (--c) { +@@ -1177,6 +1191,20 @@ read_splineobject(FILE *fp) + free_splinestorage(s); + return NULL; + } ++ if (!isfinite(lx) || lx < INT_MIN || lx > INT_MAX || ++ !isfinite(ly) || ly < INT_MIN || ly > INT_MAX || ++ !isfinite(rx) || rx < INT_MIN || rx > INT_MAX || ++ !isfinite(ry) || ry < INT_MIN || ry > INT_MAX) ++ { ++ /* clean up, to pass test "reject huge spline controls ++ values" when -fsanitize=address is enabled */ ++ cp->next = NULL; ++ free_splinestorage(s); ++ free(cq); ++ put_msg("Spline control points out of range " ++ "at line %d.", line_no); ++ exit(EXIT_FAILURE); ++ } + cq->lx = lx; cq->ly = ly; + cq->rx = rx; cq->ry = ry; + cp->next = cq; +diff --git a/fig2dev/tests/read_sanitize.at b/fig2dev/tests/read_sanitize.at +index dc7508e..ccc8550 100644 +--- a/fig2dev/tests/read_sanitize.at ++++ b/fig2dev/tests/read_sanitize.at +@@ -115,3 +115,22 @@ EOF + A single point with a backward arrow - remove the arrow. + ]) + AT_CLEANUP ++ ++AT_SETUP([reject nan in spline controls values, #192]) ++AT_KEYWORDS([read.c]) ++# Use an output language that does not natively support Bezier splines. ++# Otherwise, the huge values are simply copied to the output. ++AT_CHECK([fig2dev -L epic < - 1:3.2.6a-5 +- Detect nan in spline control values +- Fix for CVE-2025-46397 + * Mon Jul 16 2018 Honza Horak - 1:3.2.6a-4 - Remove license GPLv3+