From eac6a5044663da03703e021a4121f5fe1308b0d6 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 16 Jan 2026 09:17:25 +0000 Subject: [PATCH] import OL transfig-3.2.7b-11.el9_7 --- SOURCES/0019-CVE-2025-46397.patch | 87 +++++++++++++++++++++++++++++++ SPECS/transfig.spec | 7 ++- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0019-CVE-2025-46397.patch diff --git a/SOURCES/0019-CVE-2025-46397.patch b/SOURCES/0019-CVE-2025-46397.patch new file mode 100644 index 0000000..db332db --- /dev/null +++ b/SOURCES/0019-CVE-2025-46397.patch @@ -0,0 +1,87 @@ +From 1219de0f7542cfabf505ed4adad71c9f6aface33 Mon Sep 17 00:00:00 2001 +From: Marian Koncek +Date: Wed, 10 Dec 2025 09:42:06 +0100 +Subject: [PATCH] CVE-2025-46397 Detect nan in spline control values + +Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b661b506a463a669754ed635b0a8eb67580e/ +--- + fig2dev/read.c | 21 +++++++++++++++++++-- + fig2dev/tests/read.at | 19 +++++++++++++++++++ + 2 files changed, 38 insertions(+), 2 deletions(-) + +diff --git a/fig2dev/read.c b/fig2dev/read.c +index 349a685..d9d047f 100644 +--- a/fig2dev/read.c ++++ b/fig2dev/read.c +@@ -21,6 +21,7 @@ + #endif + + #include ++#include + #include + #include + #ifdef HAVE_STRINGS_H +@@ -1376,6 +1377,19 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len, + free_splinestorage(s); + return NULL; + } ++ if (!isfinite(lx) || lx < INT_MIN || lx > INT_MAX || ++ !isfinite(ly) || ly < INT_MIN || ly > INT_MAX || ++ !isfinite(rx) || rx < INT_MIN || rx > INT_MAX || ++ !isfinite(ry) || ry < INT_MIN || ry > INT_MAX) ++ { ++ /* clean up, to pass test "reject huge spline controls ++ values" when -fsanitize=address is enabled */ ++ cp->next = NULL; ++ free_splinestorage(s); ++ put_msg("Spline control points out of range " ++ "at line %d.", *line_no); ++ exit(EXIT_FAILURE); ++ } + cp->lx = lx; cp->ly = ly; + cp->rx = rx; cp->ry = ry; + while (--c) { +@@ -1393,8 +1407,11 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len, + free_splinestorage(s); + return NULL; + } +- if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX || +- rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) { ++ if (!isfinite(lx) || lx < INT_MIN || lx > INT_MAX || ++ !isfinite(ly) || ly < INT_MIN || ly > INT_MAX || ++ !isfinite(rx) || rx < INT_MIN || rx > INT_MAX || ++ !isfinite(ry) || ry < INT_MIN || ry > INT_MAX) ++ { + /* do not care to clean up, we exit anyway + cp->next = NULL; + free_splinestorage(s); */ +diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at +index 7765805..580964f 100644 +--- a/fig2dev/tests/read.at ++++ b/fig2dev/tests/read.at +@@ -465,3 +465,22 @@ AT_CHECK([fig2dev -L eps $srcdir/data/boxwimg.fig | \ + $FGREP "% Begin Imported EPS File: $srcdir/data/line.eps" + ],0,ignore) + AT_CLEANUP ++ ++AT_SETUP([reject nan in spline controls values, #192]) ++AT_KEYWORDS([read.c]) ++# Use an output language that does not natively support Bezier splines. ++# Otherwise, the huge values are simply copied to the output. ++AT_CHECK([fig2dev -L epic < - 1:3.2.7b-11 +- Detect nan in spline control values +- CVE-2025-46397 + * Mon Oct 18 2021 Ondrej Dubaj - 1:3.2.7b-10 - Exit correctly when invoked without arguments (#2015001)