transfig/fig2dev-3.2.6a-CVE-2017-16899.patch
Hans de Goede 1206db636e New upstream release 3.2.6a
Add patch fixing CVE-2017-16899 (rhbz#1515695)
2017-11-21 15:40:53 +01:00

39 lines
1.2 KiB
Diff

diff -up fig2dev-3.2.6a/fig2dev/read.c.orig fig2dev-3.2.6a/fig2dev/read.c
--- fig2dev-3.2.6a/fig2dev/read.c.orig 2017-01-07 23:01:19.000000000 +0100
+++ fig2dev-3.2.6a/fig2dev/read.c 2017-11-21 15:17:31.195643198 +0100
@@ -1329,8 +1329,14 @@ read_textobject(FILE *fp)
| PSFONT_TEXT;
/* keep the font number reasonable */
- if (t->font > MAXFONT(t))
+ if (t->font > MAXFONT(t)) {
t->font = MAXFONT(t);
+ } else if (t->font < 0 ) {
+ if (psfont_text(t) && t->font < -1)
+ t->font = -1;
+ else
+ t->font = 0;
+ }
fix_and_note_color(&t->color);
t->comments = attach_comments(); /* attach any comments */
return t;
diff -up fig2dev-3.2.6a/fig2dev/read1_3.c.orig fig2dev-3.2.6a/fig2dev/read1_3.c
--- fig2dev-3.2.6a/fig2dev/read1_3.c.orig 2016-08-19 21:34:38.000000000 +0200
+++ fig2dev-3.2.6a/fig2dev/read1_3.c 2017-11-21 15:17:31.196643206 +0100
@@ -470,6 +470,15 @@ read_textobject(FILE *fp)
free((char*) t);
return(NULL);
}
+ /* keep the font number within valid range */
+ if (t->font > MAXFONT(t)) {
+ t->font = MAXFONT(t);
+ } else if (t->font < 0 ) {
+ if (psfont_text(t) && t->font < -1)
+ t->font = -1;
+ else
+ t->font = 0;
+ }
(void)strcpy(t->cstring, buf);
if (t->size == 0) t->size = 18;
return(t);