[rpms/xfig] epel10.2: Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905)

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/xfig] epel10.2: Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905)
@ 2026-05-30 14:28 Hans de Goede
  0 siblings, 0 replies; only message in thread
From: Hans de Goede @ 2026-05-30 14:28 UTC (permalink / raw)
  To: git-commits

A new commit has been pushed.

Repo   : rpms/xfig
Branch : epel10.2
Commit : a64793542bd1d681f802fd8b0d6a6d71debfa852
Author : Hans de Goede <hdegoede@redhat.com>
Date   : 2012-08-12T16:47:27+02:00
Stats  : +62/-6 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/xfig/c/a64793542bd1d681f802fd8b0d6a6d71debfa852?branch=epel10.2

Log:
Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905)

---
diff --git a/30_figparserstack.patch b/30_figparserstack.patch
new file mode 100644
index 0000000..70d3912
--- /dev/null
+++ b/30_figparserstack.patch
@@ -0,0 +1,56 @@
+From: Hans de Goede <j.w.r.degoede@hhs.nl>
+Subject: Fix Stack-based buffer overflow by loading malformed .FIG files
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=543905
+Bug-Debian: http://bugs.debian.org/559274
+
+--- a/f_readold.c
++++ b/f_readold.c
+@@ -471,7 +471,7 @@
+     F_text	   *t;
+     int		    n;
+     int		    dum;
+-    char	    buf[128];
++    char	    buf[512];
+     PR_SIZE	    tx_dim;
+ 
+     if ((t = create_text()) == NULL)
+@@ -485,22 +485,34 @@
+     t->pen_style = -1;
+     t->angle = 0.0;
+     t->next = NULL;
++    if (!fgets(buf, sizeof(buf), fp)) {
++	file_msg("Incomplete text data");
++	free((char *) t);
++	return (NULL);
++    }
++
++    /* Note using strlen(buf) here will waste a few bytes, as the
++       various text attributes are counted into this length too. */
++    if ((t->cstring = new_string(strlen(buf))) == NULL)
++        return (NULL);
++
+     /* ascent and length will be recalculated later */
+-    n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
++    n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
+ 		&t->font, &dum, &dum, &t->ascent, &t->length,
+-		&t->base_x, &t->base_y, buf);
++		&t->base_x, &t->base_y, t->cstring);
+     if (n != 8) {
+ 	file_msg("Incomplete text data");
++	free(t->cstring);
+ 	free((char *) t);
+ 	return (NULL);
+     }
+-    if ((t->cstring = new_string(strlen(buf))) == NULL) {
++
++    if (!strlen(t->cstring)) {
++	free(t->cstring);
+ 	free((char *) t);
+ 	file_msg("Empty text string at line %d.", line_no);
+ 	return (NULL);
+     }
+-    /* put string in structure */
+-    strcpy(t->cstring, buf);
+ 
+     /* get the font struct */
+     t->zoom = zoomscale;

diff --git a/xfig.spec b/xfig.spec
index c2fbfd6..691792c 100644
--- a/xfig.spec
+++ b/xfig.spec
@@ -3,7 +3,7 @@
 Summary: An X Window System tool for drawing basic vector graphics
 Name: xfig
 Version: 3.2.5
-Release: 31.b%{?dist}
+Release: 32.b%{?dist}
 License: MIT
 Group: Applications/Multimedia
 URL: http://www.xfig.org/
@@ -22,6 +22,7 @@ Patch19: xfig-3.2.5-debian.patch
 Patch20: xfig-3.2.5b-fix-eps-reading.patch
 Patch21: xfig-3.2.5b-fix-fig-buffer-overflow.patch
 Patch22: 36_libpng15.dpatch
+Patch23: 30_figparserstack.patch
 
 BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
@@ -96,6 +97,7 @@ Files common to both the plain Xaw and the Xaw3d version of xfig.
 %patch20 -p1
 %patch21
 %patch22 -p1 -b .libpng
+%patch23 -p1
 iconv -f ISO-8859-1 -t UTF8 CHANGES > tmp; touch -r CHANGES tmp; mv tmp CHANGES
 rm Doc/html/images/sav1a0.tmp
 chmod -x `find -type f`
@@ -121,8 +123,6 @@ make XFIGDOCDIR=%{_docdir}/%{name}-%{version} \
 
 
 %install
-rm -rf %{buildroot}
-
 make DESTDIR=%{buildroot} XFIGDOCDIR=%{_docdir}/%{name}-%{version} \
      INSTALL="install -p" install.all
 install -p -m 644 CHANGES README LATEX.AND.XFIG* FIGAPPS \
@@ -165,15 +165,12 @@ fi
 
 
 %files
-%defattr(-,root,root,-)
 %{_bindir}/%{name}-Xaw3d
 
 %files plain
-%defattr(-,root,root,-)
 %{_bindir}/%{name}-plain
 
 %files common
-%defattr(-,root,root,-)
 %doc %{_docdir}/%{name}-%{version}
 %{_bindir}/%{name}
 %{_datadir}/%{name}
@@ -184,6 +181,9 @@ fi
 
 
 %changelog
+* Sun Aug 12 2012 Hans de Goede <hdegoede@redhat.com> - 3.2.5-32.b
+- Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905)
+
 * Sun Jul 22 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2.5-31.b
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
 

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-05-30 14:28 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-30 14:28 [rpms/xfig] epel10.2: Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905) Hans de Goede

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox