95 lines
2.8 KiB
Diff
95 lines
2.8 KiB
Diff
From 99ce6e57659d98f88434c1ab25c4efc58ebee67c Mon Sep 17 00:00:00 2001
|
|
From: Marian Koncek <mkoncek@redhat.com>
|
|
Date: Wed, 3 Dec 2025 09:56:21 +0100
|
|
Subject: [PATCH] CVE-2025-46397 Detect nan in spline control values.
|
|
|
|
Upstream: https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b661b506a463a669754ed635b0a8eb67580e/
|
|
---
|
|
fig2dev/read.c | 28 ++++++++++++++++++++++++++++
|
|
fig2dev/tests/read_sanitize.at | 19 +++++++++++++++++++
|
|
2 files changed, 47 insertions(+)
|
|
|
|
diff --git a/fig2dev/read.c b/fig2dev/read.c
|
|
index be9f62c..aa3fa12 100644
|
|
--- a/fig2dev/read.c
|
|
+++ b/fig2dev/read.c
|
|
@@ -29,6 +29,7 @@
|
|
#endif
|
|
|
|
#include <stdio.h>
|
|
+#include <math.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <strings.h>
|
|
@@ -1160,6 +1161,19 @@ read_splineobject(FILE *fp)
|
|
free_splinestorage(s);
|
|
return NULL;
|
|
}
|
|
+ if (!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
|
|
+ !isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
|
|
+ !isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
|
|
+ !isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
|
|
+ {
|
|
+ /* clean up, to pass test "reject huge spline controls
|
|
+ values" when -fsanitize=address is enabled */
|
|
+ cp->next = NULL;
|
|
+ free_splinestorage(s);
|
|
+ put_msg("Spline control points out of range "
|
|
+ "at line %d.", line_no);
|
|
+ exit(EXIT_FAILURE);
|
|
+ }
|
|
cp->lx = lx; cp->ly = ly;
|
|
cp->rx = rx; cp->ry = ry;
|
|
while (--c) {
|
|
@@ -1177,6 +1191,20 @@ read_splineobject(FILE *fp)
|
|
free_splinestorage(s);
|
|
return NULL;
|
|
}
|
|
+ if (!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
|
|
+ !isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
|
|
+ !isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
|
|
+ !isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
|
|
+ {
|
|
+ /* clean up, to pass test "reject huge spline controls
|
|
+ values" when -fsanitize=address is enabled */
|
|
+ cp->next = NULL;
|
|
+ free_splinestorage(s);
|
|
+ free(cq);
|
|
+ put_msg("Spline control points out of range "
|
|
+ "at line %d.", line_no);
|
|
+ exit(EXIT_FAILURE);
|
|
+ }
|
|
cq->lx = lx; cq->ly = ly;
|
|
cq->rx = rx; cq->ry = ry;
|
|
cp->next = cq;
|
|
diff --git a/fig2dev/tests/read_sanitize.at b/fig2dev/tests/read_sanitize.at
|
|
index dc7508e..ccc8550 100644
|
|
--- a/fig2dev/tests/read_sanitize.at
|
|
+++ b/fig2dev/tests/read_sanitize.at
|
|
@@ -115,3 +115,22 @@ EOF
|
|
A single point with a backward arrow - remove the arrow.
|
|
])
|
|
AT_CLEANUP
|
|
+
|
|
+AT_SETUP([reject nan in spline controls values, #192])
|
|
+AT_KEYWORDS([read.c])
|
|
+# Use an output language that does not natively support Bezier splines.
|
|
+# Otherwise, the huge values are simply copied to the output.
|
|
+AT_CHECK([fig2dev -L epic <<EOF
|
|
+#FIG 3.1
|
|
+Landscape
|
|
+Center
|
|
+Metric
|
|
+1200 2
|
|
+3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2
|
|
+ 0 0 1200 0
|
|
+ 600 600 600 nan
|
|
+ 600 600 600 600
|
|
+EOF
|
|
+], 1, ignore, [Spline control points out of range at line 8.
|
|
+])
|
|
+AT_CLEANUP
|
|
--
|
|
2.51.1
|
|
|