From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
From: Hans de Goede <hdegoede@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/xfig] epel10: Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905)
Date: Sat, 30 May 2026 14:25:46 GMT
Message-ID: <178015114684.1.5947164372075309777.rpms-xfig-a64793542bd1@fedoraproject.org>
List-ID: <git-commits.fedoraproject.org>
X-Git-Repo: rpms/xfig
X-Git-Branch: epel10
X-Git-Rev: a64793542bd1d681f802fd8b0d6a6d71debfa852

QSBuZXcgY29tbWl0IGhhcyBiZWVuIHB1c2hlZC4KClJlcG8gICA6IHJwbXMveGZpZwpCcmFuY2gg
OiBlcGVsMTAKQ29tbWl0IDogYTY0NzkzNTQyYmQxZDY4MWY4MDJmZDhiMGQ2YTZkNzFkZWJmYTg1
MgpBdXRob3IgOiBIYW5zIGRlIEdvZWRlIDxoZGVnb2VkZUByZWRoYXQuY29tPgpEYXRlICAgOiAy
MDEyLTA4LTEyVDE2OjQ3OjI3KzAyOjAwClN0YXRzICA6ICs2Mi8tNiBpbiAyIGZpbGUocykKVVJM
ICAgIDogaHR0cHM6Ly9zcmMuZmVkb3JhcHJvamVjdC5vcmcvcnBtcy94ZmlnL2MvYTY0NzkzNTQy
YmQxZDY4MWY4MDJmZDhiMGQ2YTZkNzFkZWJmYTg1Mj9icmFuY2g9ZXBlbDEwCgpMb2c6CkZpeCBh
IHN0YWNrIG92ZXJmbG93IHdoZW4gaW1wb3J0aW5nIDEuMyBmaWxlcyAoQ1ZFLTIwMDktNDIyNykg
KHJoYnojNTQzOTA1KQoKLS0tCmRpZmYgLS1naXQgYS8zMF9maWdwYXJzZXJzdGFjay5wYXRjaCBi
LzMwX2ZpZ3BhcnNlcnN0YWNrLnBhdGNoCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAw
MDAuLjcwZDM5MTIKLS0tIC9kZXYvbnVsbAorKysgYi8zMF9maWdwYXJzZXJzdGFjay5wYXRjaApA
QCAtMCwwICsxLDU2IEBACitGcm9tOiBIYW5zIGRlIEdvZWRlIDxqLncuci5kZWdvZWRlQGhocy5u
bD4KK1N1YmplY3Q6IEZpeCBTdGFjay1iYXNlZCBidWZmZXIgb3ZlcmZsb3cgYnkgbG9hZGluZyBt
YWxmb3JtZWQgLkZJRyBmaWxlcworQnVnOiBodHRwczovL2J1Z3ppbGxhLnJlZGhhdC5jb20vc2hv
d19idWcuY2dpP2lkPTU0MzkwNQorQnVnLURlYmlhbjogaHR0cDovL2J1Z3MuZGViaWFuLm9yZy81
NTkyNzQKKworLS0tIGEvZl9yZWFkb2xkLmMKKysrKyBiL2ZfcmVhZG9sZC5jCitAQCAtNDcxLDcg
KzQ3MSw3IEBACisgICAgIEZfdGV4dAkgICAqdDsKKyAgICAgaW50CQkgICAgbjsKKyAgICAgaW50
CQkgICAgZHVtOworLSAgICBjaGFyCSAgICBidWZbMTI4XTsKKysgICAgY2hhcgkgICAgYnVmWzUx
Ml07CisgICAgIFBSX1NJWkUJICAgIHR4X2RpbTsKKyAKKyAgICAgaWYgKCh0ID0gY3JlYXRlX3Rl
eHQoKSkgPT0gTlVMTCkKK0BAIC00ODUsMjIgKzQ4NSwzNCBAQAorICAgICB0LT5wZW5fc3R5bGUg
PSAtMTsKKyAgICAgdC0+YW5nbGUgPSAwLjA7CisgICAgIHQtPm5leHQgPSBOVUxMOworKyAgICBp
ZiAoIWZnZXRzKGJ1Ziwgc2l6ZW9mKGJ1ZiksIGZwKSkgeworKwlmaWxlX21zZygiSW5jb21wbGV0
ZSB0ZXh0IGRhdGEiKTsKKysJZnJlZSgoY2hhciAqKSB0KTsKKysJcmV0dXJuIChOVUxMKTsKKysg
ICAgfQorKworKyAgICAvKiBOb3RlIHVzaW5nIHN0cmxlbihidWYpIGhlcmUgd2lsbCB3YXN0ZSBh
IGZldyBieXRlcywgYXMgdGhlCisrICAgICAgIHZhcmlvdXMgdGV4dCBhdHRyaWJ1dGVzIGFyZSBj
b3VudGVkIGludG8gdGhpcyBsZW5ndGggdG9vLiAqLworKyAgICBpZiAoKHQtPmNzdHJpbmcgPSBu
ZXdfc3RyaW5nKHN0cmxlbihidWYpKSkgPT0gTlVMTCkKKysgICAgICAgIHJldHVybiAoTlVMTCk7
CisrCisgICAgIC8qIGFzY2VudCBhbmQgbGVuZ3RoIHdpbGwgYmUgcmVjYWxjdWxhdGVkIGxhdGVy
ICovCistICAgIG4gPSBmc2NhbmYoZnAsICIgJWQgJWQgJWQgJWQgJWQgJWQgJWQgJVteXG5dIiwK
KysgICAgbiA9IHNzY2FuZihidWYsICIgJWQgJWQgJWQgJWQgJWQgJWQgJWQgJVteXG5dIiwKKyAJ
CSZ0LT5mb250LCAmZHVtLCAmZHVtLCAmdC0+YXNjZW50LCAmdC0+bGVuZ3RoLAorLQkJJnQtPmJh
c2VfeCwgJnQtPmJhc2VfeSwgYnVmKTsKKysJCSZ0LT5iYXNlX3gsICZ0LT5iYXNlX3ksIHQtPmNz
dHJpbmcpOworICAgICBpZiAobiAhPSA4KSB7CisgCWZpbGVfbXNnKCJJbmNvbXBsZXRlIHRleHQg
ZGF0YSIpOworKwlmcmVlKHQtPmNzdHJpbmcpOworIAlmcmVlKChjaGFyICopIHQpOworIAlyZXR1
cm4gKE5VTEwpOworICAgICB9CistICAgIGlmICgodC0+Y3N0cmluZyA9IG5ld19zdHJpbmcoc3Ry
bGVuKGJ1ZikpKSA9PSBOVUxMKSB7CisrCisrICAgIGlmICghc3RybGVuKHQtPmNzdHJpbmcpKSB7
CisrCWZyZWUodC0+Y3N0cmluZyk7CisgCWZyZWUoKGNoYXIgKikgdCk7CisgCWZpbGVfbXNnKCJF
bXB0eSB0ZXh0IHN0cmluZyBhdCBsaW5lICVkLiIsIGxpbmVfbm8pOworIAlyZXR1cm4gKE5VTEwp
OworICAgICB9CistICAgIC8qIHB1dCBzdHJpbmcgaW4gc3RydWN0dXJlICovCistICAgIHN0cmNw
eSh0LT5jc3RyaW5nLCBidWYpOworIAorICAgICAvKiBnZXQgdGhlIGZvbnQgc3RydWN0ICovCisg
ICAgIHQtPnpvb20gPSB6b29tc2NhbGU7CgpkaWZmIC0tZ2l0IGEveGZpZy5zcGVjIGIveGZpZy5z
cGVjCmluZGV4IGMyZmJmZDYuLjY5MTc5MmMgMTAwNjQ0Ci0tLSBhL3hmaWcuc3BlYworKysgYi94
ZmlnLnNwZWMKQEAgLTMsNyArMyw3IEBACiBTdW1tYXJ5OiBBbiBYIFdpbmRvdyBTeXN0ZW0gdG9v
bCBmb3IgZHJhd2luZyBiYXNpYyB2ZWN0b3IgZ3JhcGhpY3MKIE5hbWU6IHhmaWcKIFZlcnNpb246
IDMuMi41Ci1SZWxlYXNlOiAzMS5iJXs/ZGlzdH0KK1JlbGVhc2U6IDMyLmIlez9kaXN0fQogTGlj
ZW5zZTogTUlUCiBHcm91cDogQXBwbGljYXRpb25zL011bHRpbWVkaWEKIFVSTDogaHR0cDovL3d3
dy54ZmlnLm9yZy8KQEAgLTIyLDYgKzIyLDcgQEAgUGF0Y2gxOTogeGZpZy0zLjIuNS1kZWJpYW4u
cGF0Y2gKIFBhdGNoMjA6IHhmaWctMy4yLjViLWZpeC1lcHMtcmVhZGluZy5wYXRjaAogUGF0Y2gy
MTogeGZpZy0zLjIuNWItZml4LWZpZy1idWZmZXItb3ZlcmZsb3cucGF0Y2gKIFBhdGNoMjI6IDM2
X2xpYnBuZzE1LmRwYXRjaAorUGF0Y2gyMzogMzBfZmlncGFyc2Vyc3RhY2sucGF0Y2gKIAogQnVp
bGRSZXF1aXJlczogbGlianBlZy1kZXZlbAogQnVpbGRSZXF1aXJlczogbGlicG5nLWRldmVsCkBA
IC05Niw2ICs5Nyw3IEBAIEZpbGVzIGNvbW1vbiB0byBib3RoIHRoZSBwbGFpbiBYYXcgYW5kIHRo
ZSBYYXczZCB2ZXJzaW9uIG9mIHhmaWcuCiAlcGF0Y2gyMCAtcDEKICVwYXRjaDIxCiAlcGF0Y2gy
MiAtcDEgLWIgLmxpYnBuZworJXBhdGNoMjMgLXAxCiBpY29udiAtZiBJU08tODg1OS0xIC10IFVU
RjggQ0hBTkdFUyA+IHRtcDsgdG91Y2ggLXIgQ0hBTkdFUyB0bXA7IG12IHRtcCBDSEFOR0VTCiBy
bSBEb2MvaHRtbC9pbWFnZXMvc2F2MWEwLnRtcAogY2htb2QgLXggYGZpbmQgLXR5cGUgZmAKQEAg
LTEyMSw4ICsxMjMsNiBAQCBtYWtlIFhGSUdET0NESVI9JXtfZG9jZGlyfS8le25hbWV9LSV7dmVy
c2lvbn0gXAogCiAKICVpbnN0YWxsCi1ybSAtcmYgJXtidWlsZHJvb3R9Ci0KIG1ha2UgREVTVERJ
Uj0le2J1aWxkcm9vdH0gWEZJR0RPQ0RJUj0le19kb2NkaXJ9LyV7bmFtZX0tJXt2ZXJzaW9ufSBc
CiAgICAgIElOU1RBTEw9Imluc3RhbGwgLXAiIGluc3RhbGwuYWxsCiBpbnN0YWxsIC1wIC1tIDY0
NCBDSEFOR0VTIFJFQURNRSBMQVRFWC5BTkQuWEZJRyogRklHQVBQUyBcCkBAIC0xNjUsMTUgKzE2
NSwxMiBAQCBmaQogCiAKICVmaWxlcwotJWRlZmF0dHIoLSxyb290LHJvb3QsLSkKICV7X2JpbmRp
cn0vJXtuYW1lfS1YYXczZAogCiAlZmlsZXMgcGxhaW4KLSVkZWZhdHRyKC0scm9vdCxyb290LC0p
CiAle19iaW5kaXJ9LyV7bmFtZX0tcGxhaW4KIAogJWZpbGVzIGNvbW1vbgotJWRlZmF0dHIoLSxy
b290LHJvb3QsLSkKICVkb2MgJXtfZG9jZGlyfS8le25hbWV9LSV7dmVyc2lvbn0KICV7X2JpbmRp
cn0vJXtuYW1lfQogJXtfZGF0YWRpcn0vJXtuYW1lfQpAQCAtMTg0LDYgKzE4MSw5IEBAIGZpCiAK
IAogJWNoYW5nZWxvZworKiBTdW4gQXVnIDEyIDIwMTIgSGFucyBkZSBHb2VkZSA8aGRlZ29lZGVA
cmVkaGF0LmNvbT4gLSAzLjIuNS0zMi5iCistIEZpeCBhIHN0YWNrIG92ZXJmbG93IHdoZW4gaW1w
b3J0aW5nIDEuMyBmaWxlcyAoQ1ZFLTIwMDktNDIyNykgKHJoYnojNTQzOTA1KQorCiAqIFN1biBK
dWwgMjIgMjAxMiBGZWRvcmEgUmVsZWFzZSBFbmdpbmVlcmluZyA8cmVsLWVuZ0BsaXN0cy5mZWRv
cmFwcm9qZWN0Lm9yZz4gLSAzLjIuNS0zMS5iCiAtIFJlYnVpbHQgZm9yIGh0dHBzOi8vZmVkb3Jh
cHJvamVjdC5vcmcvd2lraS9GZWRvcmFfMThfTWFzc19SZWJ1aWxkCiAK