rpms/transfig
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import OL transfig-3.2.7b-11.el9_7

Browse Source
This commit is contained in:
eabdullin 2026-01-16 09:17:25 +00:00
parent d36df5f1d9
commit eac6a50446
2 changed files with 93 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
SOURCES/0019-CVE-2025-46397.patch Normal file
View File

@ -0,0 +1,87 @@
From 1219de0f7542cfabf505ed4adad71c9f6aface33 Mon Sep 17 00:00:00 2001
From: Marian Koncek <mkoncek@redhat.com>
Date: Wed, 10 Dec 2025 09:42:06 +0100
Subject: [PATCH] CVE-2025-46397 Detect nan in spline control values
Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b661b506a463a669754ed635b0a8eb67580e/
---
fig2dev/read.c | 21 +++++++++++++++++++--
fig2dev/tests/read.at | 19 +++++++++++++++++++
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/fig2dev/read.c b/fig2dev/read.c
index 349a685..d9d047f 100644
--- a/fig2dev/read.c
+++ b/fig2dev/read.c
@@ -21,6 +21,7 @@
#endif
#include <stdio.h>
+#include <math.h>
#include <stdlib.h>
#include <string.h>
#ifdef HAVE_STRINGS_H
@@ -1376,6 +1377,19 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
free_splinestorage(s);
return NULL;
}
+ if (!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
+ !isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
+ !isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
+ !isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
+ {
+ /* clean up, to pass test "reject huge spline controls
+ values" when -fsanitize=address is enabled */
+ cp->next = NULL;
+ free_splinestorage(s);
+ put_msg("Spline control points out of range "
+ "at line %d.", *line_no);
+ exit(EXIT_FAILURE);
+ }
cp->lx = lx; cp->ly = ly;
cp->rx = rx; cp->ry = ry;
while (--c) {
@@ -1393,8 +1407,11 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
free_splinestorage(s);
return NULL;
}
- if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX ||
- rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) {
+ if (!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
+ !isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
+ !isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
+ !isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
+ {
/* do not care to clean up, we exit anyway
cp->next = NULL;
free_splinestorage(s); */
diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
index 7765805..580964f 100644
--- a/fig2dev/tests/read.at
+++ b/fig2dev/tests/read.at
@@ -465,3 +465,22 @@ AT_CHECK([fig2dev -L eps $srcdir/data/boxwimg.fig | \
$FGREP "% Begin Imported EPS File: $srcdir/data/line.eps"
],0,ignore)
AT_CLEANUP
+
+AT_SETUP([reject nan in spline controls values, #192])
+AT_KEYWORDS([read.c])
+# Use an output language that does not natively support Bezier splines.
+# Otherwise, the huge values are simply copied to the output.
+AT_CHECK([fig2dev -L epic <<EOF
+#FIG 3.1
+Landscape
+Center
+Metric
+1200 2
+3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2
+ 0 0 1200 0
+ 600 600 600 nan
+ 600 600 600 600
+EOF
+], 1, ignore, [Spline control points out of range at line 8.
+])
+AT_CLEANUP
--
2.51.1

7
SPECS/transfig.spec
View File

@ -1,6 +1,6 @@
Name: transfig
Version: 3.2.7b
Release: 10%{?dist}
Release: 11%{?dist}
Epoch: 1
Summary: Utility for converting FIG files (made by xfig) to other formats
License: MIT
@ -25,6 +25,7 @@ Patch15: 0015-CVE-2020-21532.patch
Patch16: 0016-CVE-2020-21531.patch
Patch17: 0017-CVE-2021-32280.patch
Patch18: 0018-exit-no-args.patch
Patch19: 0019-CVE-2025-46397.patch
Requires: ghostscript
Requires: bc
@ -77,6 +78,10 @@ mv fig2dev.1.in.new man/fig2dev.1.in
%changelog
* Wed Dec 03 2025 Marian Koncek <mkoncek@redhat.com> - 1:3.2.7b-11
- Detect nan in spline control values
- CVE-2025-46397
* Mon Oct 18 2021 Ondrej Dubaj <odubaj@redhat.com> - 1:3.2.7b-10
- Exit correctly when invoked without arguments (#2015001)