add a patch from

https://bugzilla.redhat.com/show_bug.cgi?id=543905 (slightly modified) to fix CVE-2009-4228 (Stack-based buffer overflow by loading malformed .FIG files)
2009-12-23 14:19:58 +00:00 · 2009-12-23 14:19:58 +00:00 · b6fe8891f7
commit b6fe8891f7
parent 74a93af9ff
3 changed files with 56 additions and 3 deletions
--- a/print/transfig/Makefile
+++ b/print/transfig/Makefile
@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.36 2008/08/20 10:25:12 is Exp $
+# $NetBSD: Makefile,v 1.37 2009/12/23 14:19:58 drochner Exp $

 DISTNAME=	transfig.3.2.5
 PKGNAME=	transfig-3.2.5
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	graphics print
 MASTER_SITES=	ftp://epb.lbl.gov/xfig/alpha/

--- a/print/transfig/distinfo
+++ b/print/transfig/distinfo
@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.15 2008/08/20 10:25:12 is Exp $
+$NetBSD: distinfo,v 1.16 2009/12/23 14:19:58 drochner Exp $

 SHA1 (transfig.3.2.5.tar.gz) = 2657c104d0099dcb4565a8762a9543310e55e767
 RMD160 (transfig.3.2.5.tar.gz) = 435615bded662225127ea564fc746e9cb0058f18
@ -7,3 +7,4 @@ SHA1 (patch-aa) = bd898082a8c34825efe04d0102ddb33b2f4cffbd
 SHA1 (patch-ab) = b056ff88914bccfc172f15adb663eda0f254e125
 SHA1 (patch-ac) = 0258794cf6f6d22d3355ed01c2cc89c7ee0088d4
 SHA1 (patch-ae) = d3d0eeb08083092f717525914c64e72c7ceaa1fd
+SHA1 (patch-af) = 544bae557e193f9bbee4dbe1aefa454c38100c69
--- a/print/transfig/patches/patch-af
+++ b/print/transfig/patches/patch-af
@ -0,0 +1,52 @@
+$NetBSD: patch-af,v 1.1 2009/12/23 14:19:58 drochner Exp $
+
+--- fig2dev/read1_3.c.orig	2003-04-08 22:18:51.000000000 +0000
+++ fig2dev/read1_3.c
+@@ -441,7 +441,7 @@ FILE	*fp;
+ {
+ 	F_text	*t;
+ 	int	n;
+-	char	buf[128];
+	char	buf[512];
+ 
+ 	Text_malloc(t);
+ 	t->type = T_LEFT_JUSTIFIED;
+@@ -451,21 +451,33 @@ FILE	*fp;
+ 	t->pen = 0;
+ 	t->angle = 0.0;
+ 	t->next = NULL;
+-	n = fscanf(fp," %d %lf %d %lf %lf %d %d %[^\n]", &t->font, 
+	if (!fgets(buf, sizeof(buf), fp)) {
+		put_msg("Incomplete text data");
+		free((char *) t);
+		return (NULL);
+	}
+
+	/* Note using strlen(buf) here will waste a few bytes, as the
+	   various text attributes are counted into this length too. */
+	t->cstring = (char *) calloc((unsigned)(strlen(buf)+1), sizeof(char));
+	if (t->cstring == NULL)
+		return (NULL);
+	n = sscanf(buf," %d %lf %d %lf %lf %d %d %[^\n]", &t->font, 
+ 		&t->size, &t->flags, &t->height, &t->length, 
+-		&t->base_x, &t->base_y, buf);
+		&t->base_x, &t->base_y, t->cstring);
+ 	if (n != 8) {
+ 	    put_msg("incomplete text data");
+	    free(t->cstring);
+ 	    free((char*)t);
+ 	    return(NULL);
+ 	    }
+-	t->cstring = (char *) calloc((unsigned)(strlen(buf)+1), sizeof(char));
+-	if (t->cstring == NULL) {
+
+	if (!strlen(t->cstring)) {
+	    free(t->cstring);
+ 	    put_msg(Err_mem);
+ 	    free((char*) t);
+ 	    return(NULL);
+ 	    }
+-	(void)strcpy(t->cstring, buf);
+ 	if (t->size == 0) t->size = 18;
+ 	return(t);
+ 	}