| #! /bin/sh /usr/share/dpatch/dpatch-run |
| ## 30_figparserstack.dpatch by Hans de Goede <j.w.r.degoede@hhs.nl> |
| ## |
| ## All lines beginning with `## DP:' are a description of the patch. |
| ## DP: Fix Stack-based buffer overflow by loading malformed .FIG files |
| ## DP: https://bugzilla.redhat.com/show_bug.cgi?id=543905 |
| ## DP: Closes: #559274 |
| |
| @DPATCH@ |
| diff -urNad xfig~/f_readold.c xfig/f_readold.c |
| --- xfig~/f_readold.c |
| +++ xfig/f_readold.c |
| @@ -471,7 +471,7 @@ |
| F_text *t; |
| int n; |
| int dum; |
| - char buf[128]; |
| + char buf[512]; |
| PR_SIZE tx_dim; |
| |
| if ((t = create_text()) == NULL) |
| @@ -485,22 +485,34 @@ |
| t->pen_style = -1; |
| t->angle = 0.0; |
| t->next = NULL; |
| + if (!fgets(buf, sizeof(buf), fp)) { |
| + file_msg("Incomplete text data"); |
| + free((char *) t); |
| + return (NULL); |
| + } |
| + |
| + /* Note using strlen(buf) here will waste a few bytes, as the |
| + various text attributes are counted into this length too. */ |
| + if ((t->cstring = new_string(strlen(buf))) == NULL) |
| + return (NULL); |
| + |
| /* ascent and length will be recalculated later */ |
| - n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]", |
| + n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]", |
| &t->font, &dum, &dum, &t->ascent, &t->length, |
| - &t->base_x, &t->base_y, buf); |
| + &t->base_x, &t->base_y, t->cstring); |
| if (n != 8) { |
| file_msg("Incomplete text data"); |
| + free(t->cstring); |
| free((char *) t); |
| return (NULL); |
| } |
| - if ((t->cstring = new_string(strlen(buf))) == NULL) { |
| + |
| + if (!strlen(t->cstring)) { |
| + free(t->cstring); |
| free((char *) t); |
| file_msg("Empty text string at line %d.", line_no); |
| return (NULL); |
| } |
| - /* put string in structure */ |
| - strcpy(t->cstring, buf); |
| |
| /* get the font struct */ |
| t->zoom = zoomscale; |