diff options
Diffstat (limited to 'media-gfx/xfig/files/xfig-3.2.5b-figparserstack.patch')
-rw-r--r-- | media-gfx/xfig/files/xfig-3.2.5b-figparserstack.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/media-gfx/xfig/files/xfig-3.2.5b-figparserstack.patch b/media-gfx/xfig/files/xfig-3.2.5b-figparserstack.patch new file mode 100644 index 000000000000..7f4668214acc --- /dev/null +++ b/media-gfx/xfig/files/xfig-3.2.5b-figparserstack.patch @@ -0,0 +1,61 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 30_figparserstack.dpatch by Hans de Goede <j.w.r.degoede@hhs.nl> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix Stack-based buffer overflow by loading malformed .FIG files +## DP: https://bugzilla.redhat.com/show_bug.cgi?id=543905 +## DP: Closes: #559274 + +@DPATCH@ +diff -urNad xfig~/f_readold.c xfig/f_readold.c +--- xfig~/f_readold.c ++++ xfig/f_readold.c +@@ -471,7 +471,7 @@ + F_text *t; + int n; + int dum; +- char buf[128]; ++ char buf[512]; + PR_SIZE tx_dim; + + if ((t = create_text()) == NULL) +@@ -485,22 +485,34 @@ + t->pen_style = -1; + t->angle = 0.0; + t->next = NULL; ++ if (!fgets(buf, sizeof(buf), fp)) { ++ file_msg("Incomplete text data"); ++ free((char *) t); ++ return (NULL); ++ } ++ ++ /* Note using strlen(buf) here will waste a few bytes, as the ++ various text attributes are counted into this length too. */ ++ if ((t->cstring = new_string(strlen(buf))) == NULL) ++ return (NULL); ++ + /* ascent and length will be recalculated later */ +- n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]", ++ n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]", + &t->font, &dum, &dum, &t->ascent, &t->length, +- &t->base_x, &t->base_y, buf); ++ &t->base_x, &t->base_y, t->cstring); + if (n != 8) { + file_msg("Incomplete text data"); ++ free(t->cstring); + free((char *) t); + return (NULL); + } +- if ((t->cstring = new_string(strlen(buf))) == NULL) { ++ ++ if (!strlen(t->cstring)) { ++ free(t->cstring); + free((char *) t); + file_msg("Empty text string at line %d.", line_no); + return (NULL); + } +- /* put string in structure */ +- strcpy(t->cstring, buf); + + /* get the font struct */ + t->zoom = zoomscale; |