cccfee3cdc
Add patch fixing CVE-2019-19746 (rhbz#1787040) Add patch fixing CVE-2019-19797 (rhbz#1786726)
90 lines
2.9 KiB
Diff
90 lines
2.9 KiB
Diff
From 3065abc7b4f740ed6532322843531317de782a26 Mon Sep 17 00:00:00 2001
|
|
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
|
|
Date: Tue, 10 Dec 2019 13:17:36 +0100
|
|
Subject: [PATCH 3/8] Reject huge arrow types, ticket #57
|
|
|
|
An arrow type being large enough would pass the test for
|
|
a valid type by integer overflow.
|
|
---
|
|
CHANGES | 1 +
|
|
fig2dev/arrow.c | 13 ++++++++-----
|
|
fig2dev/tests/read.at | 12 ++++++++++++
|
|
3 files changed, 21 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/CHANGES b/CHANGES
|
|
index edd0843..964dc84 100644
|
|
--- a/CHANGES
|
|
+++ b/CHANGES
|
|
@@ -6,6 +6,7 @@ Patchlevel Xx (Xxx 20xx)
|
|
|
|
BUGS FIXED:
|
|
Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
|
|
+ o Reject huge arrow types causing integer overflow. Ticket #57.
|
|
o Allow Fig v2 text strings ending with multiple ^A. Ticket #55.
|
|
o Embed images in pdfs with their original compression type, i.e., leave
|
|
the gs switch "-dAutoFilterColorImages" at its default value "true".
|
|
diff --git a/fig2dev/arrow.c b/fig2dev/arrow.c
|
|
index a8e7fd0..34bcf18 100644
|
|
--- a/fig2dev/arrow.c
|
|
+++ b/fig2dev/arrow.c
|
|
@@ -1,9 +1,10 @@
|
|
/*
|
|
* Fig2dev: Translate Fig code to various Devices
|
|
- * Copyright (c) 1985 by Supoj Sutantavibul
|
|
* Copyright (c) 1991 by Micah Beck
|
|
- * Parts Copyright (c) 1989-2002 by Brian V. Smith
|
|
- * Parts Copyright (c) 2015-2018 by Thomas Loimer
|
|
+ * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
|
|
+ * Parts Copyright (c) 1989-2015 by Brian V. Smith
|
|
+ * Parts Copyright (c) 2015-2019 by Thomas Loimer
|
|
+ *
|
|
*
|
|
* Any party obtaining a copy of these files is granted, free of charge, a
|
|
* full and unrestricted irrevocable, world-wide, paid up, royalty-free,
|
|
@@ -78,7 +79,9 @@ make_arrow(int type, int style, double thickness, double wid, double ht)
|
|
{
|
|
F_arrow *a;
|
|
|
|
- if (style < 0 || style > 1 || type < 0 || (type + 1) * 2 > NUMARROWS)
|
|
+ if (style < 0 || style > 1 || type < 0 ||
|
|
+ /* beware of int overflow */
|
|
+ type > NUMARROWS || (type + 1) * 2 > NUMARROWS)
|
|
return NULL;
|
|
if (NULL == (Arrow_malloc(a))) {
|
|
put_msg(Err_mem);
|
|
@@ -90,7 +93,7 @@ make_arrow(int type, int style, double thickness, double wid, double ht)
|
|
|
|
a->type = type;
|
|
a->style = style;
|
|
- a->thickness = thickness*THICK_SCALE;
|
|
+ a->thickness = thickness * THICK_SCALE;
|
|
a->wid = wid;
|
|
a->ht = ht;
|
|
return a;
|
|
diff --git a/fig2dev/tests/read.at b/fig2dev/tests/read.at
|
|
index c36d07a..e9a71a3 100644
|
|
--- a/fig2dev/tests/read.at
|
|
+++ b/fig2dev/tests/read.at
|
|
@@ -135,6 +135,18 @@ A single point with a backward arrow - remove the arrow.
|
|
])
|
|
AT_CLEANUP
|
|
|
|
+AT_SETUP([reject huge arrow-type, ticket #57])
|
|
+AT_KEYWORDS(arrow.c arrow)
|
|
+AT_CHECK([fig2dev -L box <<EOF
|
|
+FIG_FILE_TOP
|
|
+2 1 0 1 -1 -1 50 -1 -1 0. 0 0 0 1 0 2
|
|
+ 10000000000000 0 1 60 120
|
|
+0 0 600 0
|
|
+EOF
|
|
+], 1, ignore, [Invalid forward arrow at line 11.
|
|
+])
|
|
+AT_CLEANUP
|
|
+
|
|
AT_SETUP([reject negative font type])
|
|
AT_KEYWORDS(read.c font)
|
|
AT_CHECK([fig2dev -L box <<EOF
|
|
--
|
|
2.24.1
|
|
|