Security fix for CVE-2006-1550:

"Multiple buffer overflows in the xfig import code (xfig-import.c) in Dia 0.87
 and later before 0.95-pre6 allow user-complicit attackers to have an unknown
 impact via a crafted xfig file, possibly involving an invalid (1) color index,
 (2) number of points, or (3) depth."

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1550
http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html

Fix from Dia CVS.

2 files changed, 210 insertions, 0 deletions

diff --git a/graphics/dia/patches/patch-ac b/graphics/dia/patches/patch-ac
new file mode 100644
index 00000000000..9efb4dc2f97
--- /dev/null
+++ b/graphics/dia/patches/patch-ac
@@ -0,0 +1,14 @@
+$NetBSD: patch-ac,v 1.1 2006/04/04 14:52:15 salo Exp $
+
+Security fix for CVE-2006-1550, from Dia CVS.
+
+--- plug-ins/xfig/xfig.h.orig	2004-08-16 09:56:21.000000000 +0200
++++ plug-ins/xfig/xfig.h	2006-04-04 15:25:30.000000000 +0200
+@@ -6,6 +6,7 @@
+ 
+ #define FIG_MAX_DEFAULT_COLORS 32
+ #define FIG_MAX_USER_COLORS 512
++#define FIG_MAX_DEPTHS 1000
+ /* 1200 PPI */
+ #define FIG_UNIT 472.440944881889763779527559055118
+ /* 1/80 inch */
diff --git a/graphics/dia/patches/patch-ad b/graphics/dia/patches/patch-ad
new file mode 100644
index 00000000000..33c120ae66e
--- /dev/null
+++ b/graphics/dia/patches/patch-ad
@@ -0,0 +1,196 @@
+$NetBSD: patch-ad,v 1.1 2006/04/04 14:52:15 salo Exp $
+
+Security fix for CVE-2006-1550, from Dia CVS.
+
+--- plug-ins/xfig/xfig-import.c.orig	2004-08-16 09:56:21.000000000 +0200
++++ plug-ins/xfig/xfig-import.c	2006-04-04 15:25:30.000000000 +0200
+@@ -441,11 +441,17 @@
+ static Color
+ fig_color(int color_index) 
+ {
+-    if (color_index == -1) 
++    if (color_index <= -1) 
+         return color_black; /* Default color */
+-    if (color_index < FIG_MAX_DEFAULT_COLORS) 
++    else if (color_index < FIG_MAX_DEFAULT_COLORS) 
+         return fig_default_colors[color_index];
+-    else return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
++    else if (color_index < FIG_MAX_USER_COLORS) 
++	return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
++    else {
++	message_error(_("Color index %d too high, only 512 colors allowed. Using black instead."),
++		      color_index);
++	return color_black;
++    }
+ }
+ 
+ static Color
+@@ -563,23 +569,25 @@
+ static int
+ fig_read_n_points(FILE *file, int n, Point **points) {
+     int i;
+-    Point *new_points;
+-
+-    new_points = (Point*)g_malloc(sizeof(Point)*n);
++    GArray *points_list = g_array_sized_new(FALSE, FALSE, sizeof(Point), n);
+ 
+     for (i = 0; i < n; i++) {
+ 	int x,y;
++	Point p;
+ 	if (fscanf(file, " %d %d ", &x, &y) != 2) {
+ 	    message_error(_("Error while reading %dth of %d points: %s\n"),
+ 			  i, n, strerror(errno));
+-	    free(new_points);
++	    g_array_free(points_list, TRUE);
+ 	    return FALSE;
+ 	}
+-	new_points[i].x = x/FIG_UNIT;
+-	new_points[i].y = y/FIG_UNIT;
++	p.x = x/FIG_UNIT;
++	p.y = y/FIG_UNIT;
++	g_array_append_val(points_list, p);
+     }
+     fscanf(file, "\n");
+-    *points = new_points;
++    
++    *points = (Point *)points_list->data;
++    g_array_free(points_list, FALSE);
+     return TRUE;
+ }
+ 
+@@ -683,7 +691,7 @@
+     return text_buf;
+ }
+ 
+-static GList *depths[1000];
++static GList *depths[FIG_MAX_DEPTHS];
+ 
+ /* If there's something in the compound stack, we ignore the depth field,
+    as it will be determined by the group anyway */
+@@ -693,6 +701,26 @@
+    level.  Best we can do now. */
+ static int compound_depth;
+ 
++/** Add an object at a given depth.  This function checks for depth limits
++ * and updates the compound depth if needed.
++ *
++ * @param newobj An object to add.  If we're inside a compound, this
++ * doesn't really add the object.
++ * @param depth A depth as in the Fig format, max 999
++ */
++static void
++add_at_depth(DiaObject *newobj, int depth) {
++    if (depth < 0 || depth >= FIG_MAX_DEPTHS) {
++	message_error(_("Depth %d of of range, only 0-%d allowed.\n"),
++		      depth, FIG_MAX_DEPTHS-1);
++	depth = FIG_MAX_DEPTHS - 1;
++    }
++    if (compound_stack == NULL) 
++	depths[depth] = g_list_append(depths[depth], newobj);
++    else 
++	if (compound_depth > depth) compound_depth = depth;
++}
++
+ static DiaObject *
+ fig_read_ellipse(FILE *file, DiagramData *dia) {
+     int sub_type;
+@@ -749,10 +777,7 @@
+     /* Angle -- can't rotate yet */
+ 
+     /* Depth field */
+-    if (compound_stack == NULL)
+-	depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-	if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+ 
+     return newobj;
+ }
+@@ -885,10 +910,7 @@
+     /* Cap style */
+      
+     /* Depth field */
+-    if (compound_stack == NULL)
+-	depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-	if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+  exit:
+     prop_list_free(props);
+     g_free(forward_arrow_info);
+@@ -1111,10 +1133,7 @@
+     /* Cap style */
+      
+     /* Depth field */
+-    if (compound_stack == NULL)
+-	depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-	if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+  exit:
+     prop_list_free(props);
+     g_free(forward_arrow_info);
+@@ -1202,10 +1221,7 @@
+     /* Cap style */
+      
+     /* Depth field */
+-    if (compound_stack == NULL)
+-	depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-	if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+ 
+  exit:
+     g_free(forward_arrow_info);
+@@ -1298,10 +1314,7 @@
+     newobj->ops->set_props(newobj, props);
+     
+     /* Depth field */
+-    if (compound_stack == NULL)
+-	depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-	if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+ 
+  exit:
+     if (text_buf != NULL) free(text_buf);
+@@ -1347,6 +1360,12 @@
+ 	    return FALSE;
+ 	}
+ 
++	if (colornumber < 32 || colornumber > FIG_MAX_USER_COLORS) {
++	    message_error(_("Color number %d out of range 0..%d.  Discarding color.\n"),
++			  colornumber, FIG_MAX_USER_COLORS);
++	    return FALSE;
++	}
++
+ 	color.red = ((colorvalues & 0x00ff0000)>>16) / 255.0;
+ 	color.green = ((colorvalues & 0x0000ff00)>>8) / 255.0;
+ 	color.blue = (colorvalues & 0x000000ff) / 255.0;
+@@ -1393,7 +1412,7 @@
+ 	}
+ 	/* Group extends don't really matter */
+ 	if (compound_stack == NULL)
+-	    compound_depth = 999;
++	    compound_depth = FIG_MAX_DEPTHS - 1;
+ 	compound_stack = g_slist_append(compound_stack, NULL);
+ 	return TRUE;
+ 	break;
+@@ -1551,7 +1570,7 @@
+     for (i = 0; i < FIG_MAX_USER_COLORS; i++) {
+ 	fig_colors[i] = color_black;
+     }
+-    for (i = 0; i < 1000; i++) {
++    for (i = 0; i < FIG_MAX_DEPTHS; i++) {
+ 	depths[i] = NULL;
+     }
+ 
+@@ -1606,7 +1625,7 @@
+     } while (TRUE);
+ 
+     /* Now we can reorder for the depth fields */
+-    for (i = 0; i < 1000; i++) {
++    for (i = 0; i < FIG_MAX_DEPTHS; i++) {
+ 	if (depths[i] != NULL)
+ 	    layer_add_objects_first(dia->active_layer, depths[i]);
+     }