From 3065abc7b4f740ed6532322843531317de782a26 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Tue, 10 Dec 2019 13:17:36 +0100
Subject: [PATCH 3/8] Reject huge arrow types, ticket #57

An arrow type being large enough would pass the test for
a valid type by integer overflow.
---
 CHANGES               |  1 +
 fig2dev/arrow.c       | 13 ++++++++-----
 fig2dev/tests/read.at | 12 ++++++++++++
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index edd0843..964dc84 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,7 @@ Patchlevel Xx (Xxx 20xx)
 
 BUGS FIXED:
 	Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
+	o Reject huge arrow types causing integer overflow. Ticket #57.
 	o Allow Fig v2 text strings ending with multiple ^A. Ticket #55.
 	o Embed images in pdfs with their original compression type, i.e., leave
 	  the gs switch "-dAutoFilterColorImages" at its default value "true".
diff --git a/fig2dev/arrow.c b/fig2dev/arrow.c
index a8e7fd0..34bcf18 100644
--- a/fig2dev/arrow.c
+++ b/fig2dev/arrow.c
@@ -1,9 +1,10 @@
 /*
  * Fig2dev: Translate Fig code to various Devices
- * Copyright (c) 1985 by Supoj Sutantavibul
  * Copyright (c) 1991 by Micah Beck
- * Parts Copyright (c) 1989-2002 by Brian V. Smith
- * Parts Copyright (c) 2015-2018 by Thomas Loimer
+ * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ * Parts Copyright (c) 1989-2015 by Brian V. Smith
+ * Parts Copyright (c) 2015-2019 by Thomas Loimer
+ *
  *
  * Any party obtaining a copy of these files is granted, free of charge, a
  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
@@ -78,7 +79,9 @@ make_arrow(int type, int style, double thickness, double wid, double ht)
 {
 	F_arrow		*a;
 
-	if (style < 0 || style > 1 || type < 0 || (type + 1) * 2 > NUMARROWS)
+	if (style < 0 || style > 1 || type < 0 ||
+			/* beware of int overflow */
+			type > NUMARROWS || (type + 1) * 2 > NUMARROWS)
 		return NULL;
 	if (NULL == (Arrow_malloc(a))) {
 		put_msg(Err_mem);
@@ -90,7 +93,7 @@ make_arrow(int type, int style, double thickness, double wid, double ht)
 
 	a->type = type;
 	a->style = style;
-	a->thickness = thickness*THICK_SCALE;
+	a->thickness = thickness * THICK_SCALE;
 	a->wid = wid;
 	a->ht = ht;
 	return a;
diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
index c36d07a..e9a71a3 100644
--- a/fig2dev/tests/read.at
+++ b/fig2dev/tests/read.at
@@ -135,6 +135,18 @@ A single point with a backward arrow - remove the arrow.
 ])
 AT_CLEANUP
 
+AT_SETUP([reject huge arrow-type, ticket #57])
+AT_KEYWORDS(arrow.c arrow)
+AT_CHECK([fig2dev -L box <<EOF
+FIG_FILE_TOP
+2 1 0 1 -1 -1 50 -1 -1 0. 0 0 0 1 0 2
+	10000000000000 0 1 60 120
+0 0 600 0
+EOF
+], 1, ignore, [Invalid forward arrow at line 11.
+])
+AT_CLEANUP
+
 AT_SETUP([reject negative font type])
 AT_KEYWORDS(read.c font)
 AT_CHECK([fig2dev -L box <<EOF
-- 
2.24.1