Fixed CVE-2020-21529

Resolves: #2005518

0014-CVE-2020-21529.patch

@@ -0,0 +1,32 @@
+From 2397ae3bb903f59a017c8ec9db87164048b86827 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Mon, 20 Sep 2021 08:31:22 +0200
+Subject: [PATCH] Keep coordinates of spline controls within sane range
+
+---
+ fig2dev/read.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fig2dev/read.c b/fig2dev/read.c
+index 6e47f2d..349a685 100644
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -1392,6 +1392,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
+ 		cp->next = NULL;
+ 		free_splinestorage(s);
+ 		return NULL;
++	    }
++		if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX ||
++		rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) {
++		    /* do not care to clean up, we exit anyway
++		       cp->next = NULL;
++		       free_splinestorage(s);	*/
++		    put_msg("Spline control points out of range at line %d.",
++				    *line_no);
++		    exit(EXIT_FAILURE);
+ 	    }
+ 	    cq->lx = lx; cq->ly = ly;
+ 	    cq->rx = rx; cq->ry = ry;
+-- 
+2.31.1
+

transfig.spec

@@ -1,6 +1,6 @@
 Name:		transfig
 Version:	3.2.7b
-Release:	7%{?dist}
+Release:	8%{?dist}
 Epoch:		1
 Summary:	Utility for converting FIG files (made by xfig) to other formats
 License:	MIT
@@ -20,6 +20,7 @@ Patch10:	0010-CVE-2020-21683.patch
 Patch11:	0011-CVE-2020-21680.patch
 Patch12:  0012-CVE-2020-21678-CVE-2020-21684.patch
 Patch13:  0013-CVE-2020-21676.patch
+Patch14:  0014-CVE-2020-21529.patch
 
 Requires:	ghostscript
 Requires:	bc
@@ -72,6 +73,9 @@ mv fig2dev.1.in.new man/fig2dev.1.in
 
 
 %changelog
+* Mon Sep 20 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-8
+- Fixed CVE-2020-21529 (#2005518)
+
 * Mon Aug 30 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-7
 - Fixed CVE-2020-21681 (#1998350)
 - Fixed CVE-2020-21683 (#1998594)