media-gfx/xfig/files/xfig-3.2.5b-figparserstack.patch - chromiumos/overlays/portage - Git at Google

 #! /bin/sh /usr/share/dpatch/dpatch-run
 ## 30_figparserstack.dpatch by Hans de Goede <j.w.r.degoede@hhs.nl>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
 ## DP: Fix Stack-based buffer overflow by loading malformed .FIG files
 ## DP: https://bugzilla.redhat.com/show_bug.cgi?id=543905
 ## DP: Closes: #559274

 @DPATCH@
 diff -urNad xfig~/f_readold.c xfig/f_readold.c
 --- xfig~/f_readold.c
 +++ xfig/f_readold.c
 @@ -471,7 +471,7 @@
      F_text	   *t;
      int		    n;
      int		    dum;
 -    char	    buf[128];
 +    char	    buf[512];
      PR_SIZE	    tx_dim;

      if ((t = create_text()) == NULL)
 @@ -485,22 +485,34 @@
      t->pen_style = -1;
      t->angle = 0.0;
      t->next = NULL;
 +    if (!fgets(buf, sizeof(buf), fp)) {
 +	file_msg("Incomplete text data");
 +	free((char *) t);
 +	return (NULL);
 +    }
 +
 +    /* Note using strlen(buf) here will waste a few bytes, as the
 +       various text attributes are counted into this length too. */
 +    if ((t->cstring = new_string(strlen(buf))) == NULL)
 +        return (NULL);
 +
      /* ascent and length will be recalculated later */
 -    n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
 +    n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
  		&t->font, &dum, &dum, &t->ascent, &t->length,
 -		&t->base_x, &t->base_y, buf);
 +		&t->base_x, &t->base_y, t->cstring);
      if (n != 8) {
  	file_msg("Incomplete text data");
 +	free(t->cstring);
  	free((char *) t);
  	return (NULL);
      }
 -    if ((t->cstring = new_string(strlen(buf))) == NULL) {
 +
 +    if (!strlen(t->cstring)) {
 +	free(t->cstring);
  	free((char *) t);
  	file_msg("Empty text string at line %d.", line_no);
  	return (NULL);
      }
 -    /* put string in structure */
 -    strcpy(t->cstring, buf);

      /* get the font struct */
      t->zoom = zoomscale;
	#! /bin/sh /usr/share/dpatch/dpatch-run
	## 30_figparserstack.dpatch by Hans de Goede <j.w.r.degoede@hhs.nl>
	##
	## All lines beginning with `## DP:' are a description of the patch.
	## DP: Fix Stack-based buffer overflow by loading malformed .FIG files
	## DP: https://bugzilla.redhat.com/show_bug.cgi?id=543905
	## DP: Closes: #559274

	@DPATCH@
	diff -urNad xfig~/f_readold.c xfig/f_readold.c
	--- xfig~/f_readold.c
	+++ xfig/f_readold.c
	@@ -471,7 +471,7 @@
	F_text *t;
	int n;
	int dum;
	- char buf[128];
	+ char buf[512];
	PR_SIZE tx_dim;

	if ((t = create_text()) == NULL)
	@@ -485,22 +485,34 @@
	t->pen_style = -1;
	t->angle = 0.0;
	t->next = NULL;
	+ if (!fgets(buf, sizeof(buf), fp)) {
	+ file_msg("Incomplete text data");
	+ free((char *) t);
	+ return (NULL);
	+ }
	+
	+ /* Note using strlen(buf) here will waste a few bytes, as the
	+ various text attributes are counted into this length too. */
	+ if ((t->cstring = new_string(strlen(buf))) == NULL)
	+ return (NULL);
	+
	/* ascent and length will be recalculated later */
	- n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
	+ n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
	&t->font, &dum, &dum, &t->ascent, &t->length,
	- &t->base_x, &t->base_y, buf);
	+ &t->base_x, &t->base_y, t->cstring);
	if (n != 8) {
	file_msg("Incomplete text data");
	+ free(t->cstring);
	free((char *) t);
	return (NULL);
	}
	- if ((t->cstring = new_string(strlen(buf))) == NULL) {
	+
	+ if (!strlen(t->cstring)) {
	+ free(t->cstring);
	free((char *) t);
	file_msg("Empty text string at line %d.", line_no);
	return (NULL);
	}
	- /* put string in structure */
	- strcpy(t->cstring, buf);

	/* get the font struct */
	t->zoom = zoomscale;