[rpms/xfig] epel10: Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905)

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

From: Hans de Goede <hdegoede@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/xfig] epel10: Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905)
Date: Sat, 30 May 2026 14:25:46 GMT	[thread overview]
Message-ID: <178015114684.1.5947164372075309777.rpms-xfig-a64793542bd1@fedoraproject.org> (raw)

A new commit has been pushed.

Repo   : rpms/xfig
Branch : epel10
Commit : a64793542bd1d681f802fd8b0d6a6d71debfa852
Author : Hans de Goede <hdegoede@redhat.com>
Date   : 2012-08-12T16:47:27+02:00
Stats  : +62/-6 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/xfig/c/a64793542bd1d681f802fd8b0d6a6d71debfa852?branch=epel10

Log:
Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905)

---
diff --git a/30_figparserstack.patch b/30_figparserstack.patch
new file mode 100644
index 0000000..70d3912
--- /dev/null
+++ b/30_figparserstack.patch
@@ -0,0 +1,56 @@
+From: Hans de Goede <j.w.r.degoede@hhs.nl>
+Subject: Fix Stack-based buffer overflow by loading malformed .FIG files
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=543905
+Bug-Debian: http://bugs.debian.org/559274
+
+--- a/f_readold.c
++++ b/f_readold.c
+@@ -471,7 +471,7 @@
+     F_text	   *t;
+     int		    n;
+     int		    dum;
+-    char	    buf[128];
++    char	    buf[512];
+     PR_SIZE	    tx_dim;
+ 
+     if ((t = create_text()) == NULL)
+@@ -485,22 +485,34 @@
+     t->pen_style = -1;
+     t->angle = 0.0;
+     t->next = NULL;
++    if (!fgets(buf, sizeof(buf), fp)) {
++	file_msg("Incomplete text data");
++	free((char *) t);
++	return (NULL);
++    }
++
++    /* Note using strlen(buf) here will waste a few bytes, as the
++       various text attributes are counted into this length too. */
++    if ((t->cstring = new_string(strlen(buf))) == NULL)
++        return (NULL);
++
+     /* ascent and length will be recalculated later */
+-    n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
++    n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
+ 		&t->font, &dum, &dum, &t->ascent, &t->length,
+-		&t->base_x, &t->base_y, buf);
++		&t->base_x, &t->base_y, t->cstring);
+     if (n != 8) {
+ 	file_msg("Incomplete text data");
++	free(t->cstring);
+ 	free((char *) t);
+ 	return (NULL);
+     }
+-    if ((t->cstring = new_string(strlen(buf))) == NULL) {
++
++    if (!strlen(t->cstring)) {
++	free(t->cstring);
+ 	free((char *) t);
+ 	file_msg("Empty text string at line %d.", line_no);
+ 	return (NULL);
+     }
+-    /* put string in structure */
+-    strcpy(t->cstring, buf);
+ 
+     /* get the font struct */
+     t->zoom = zoomscale;

diff --git a/xfig.spec b/xfig.spec
index c2fbfd6..691792c 100644
--- a/xfig.spec
+++ b/xfig.spec
@@ -3,7 +3,7 @@
 Summary: An X Window System tool for drawing basic vector graphics
 Name: xfig
 Version: 3.2.5
-Release: 31.b%{?dist}
+Release: 32.b%{?dist}
 License: MIT
 Group: Applications/Multimedia
 URL: http://www.xfig.org/
@@ -22,6 +22,7 @@ Patch19: xfig-3.2.5-debian.patch
 Patch20: xfig-3.2.5b-fix-eps-reading.patch
 Patch21: xfig-3.2.5b-fix-fig-buffer-overflow.patch
 Patch22: 36_libpng15.dpatch
+Patch23: 30_figparserstack.patch
 
 BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
@@ -96,6 +97,7 @@ Files common to both the plain Xaw and the Xaw3d version of xfig.
 %patch20 -p1
 %patch21
 %patch22 -p1 -b .libpng
+%patch23 -p1
 iconv -f ISO-8859-1 -t UTF8 CHANGES > tmp; touch -r CHANGES tmp; mv tmp CHANGES
 rm Doc/html/images/sav1a0.tmp
 chmod -x `find -type f`
@@ -121,8 +123,6 @@ make XFIGDOCDIR=%{_docdir}/%{name}-%{version} \
 
 
 %install
-rm -rf %{buildroot}
-
 make DESTDIR=%{buildroot} XFIGDOCDIR=%{_docdir}/%{name}-%{version} \
      INSTALL="install -p" install.all
 install -p -m 644 CHANGES README LATEX.AND.XFIG* FIGAPPS \
@@ -165,15 +165,12 @@ fi
 
 
 %files
-%defattr(-,root,root,-)
 %{_bindir}/%{name}-Xaw3d
 
 %files plain
-%defattr(-,root,root,-)
 %{_bindir}/%{name}-plain
 
 %files common
-%defattr(-,root,root,-)
 %doc %{_docdir}/%{name}-%{version}
 %{_bindir}/%{name}
 %{_datadir}/%{name}
@@ -184,6 +181,9 @@ fi
 
 
 %changelog
+* Sun Aug 12 2012 Hans de Goede <hdegoede@redhat.com> - 3.2.5-32.b
+- Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905)
+
 * Sun Jul 22 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2.5-31.b
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

                 reply	other threads:[~2026-05-30 14:25 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178015114684.1.5947164372075309777.rpms-xfig-a64793542bd1@fedoraproject.org \
    --to=hdegoede@redhat.com \
    --cc=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox