diff options
author | drochner <drochner> | 2009-12-23 14:19:58 +0000 |
---|---|---|
committer | drochner <drochner> | 2009-12-23 14:19:58 +0000 |
commit | 51a5f0f4ae381a0e5beec6bfb5eba6285b1c4843 (patch) | |
tree | c54b9e7c368af04ae6a4b02e0c5ef0f758c33325 /print/transfig | |
parent | dac3c02862a9881ab60042fdfba4dac585db47f2 (diff) | |
download | pkgsrc-51a5f0f4ae381a0e5beec6bfb5eba6285b1c4843.tar.gz |
add a patch from
https://bugzilla.redhat.com/show_bug.cgi?id=543905
(slightly modified) to fix CVE-2009-4228
(Stack-based buffer overflow by loading malformed .FIG files)
Diffstat (limited to 'print/transfig')
-rw-r--r-- | print/transfig/Makefile | 4 | ||||
-rw-r--r-- | print/transfig/distinfo | 3 | ||||
-rw-r--r-- | print/transfig/patches/patch-af | 52 |
3 files changed, 56 insertions, 3 deletions
diff --git a/print/transfig/Makefile b/print/transfig/Makefile index b2a35256bdc..f4b139d6492 100644 --- a/print/transfig/Makefile +++ b/print/transfig/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.36 2008/08/20 10:25:12 is Exp $ +# $NetBSD: Makefile,v 1.37 2009/12/23 14:19:58 drochner Exp $ DISTNAME= transfig.3.2.5 PKGNAME= transfig-3.2.5 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= graphics print MASTER_SITES= ftp://epb.lbl.gov/xfig/alpha/ diff --git a/print/transfig/distinfo b/print/transfig/distinfo index 037c289223c..b1bb3942160 100644 --- a/print/transfig/distinfo +++ b/print/transfig/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.15 2008/08/20 10:25:12 is Exp $ +$NetBSD: distinfo,v 1.16 2009/12/23 14:19:58 drochner Exp $ SHA1 (transfig.3.2.5.tar.gz) = 2657c104d0099dcb4565a8762a9543310e55e767 RMD160 (transfig.3.2.5.tar.gz) = 435615bded662225127ea564fc746e9cb0058f18 @@ -7,3 +7,4 @@ SHA1 (patch-aa) = bd898082a8c34825efe04d0102ddb33b2f4cffbd SHA1 (patch-ab) = b056ff88914bccfc172f15adb663eda0f254e125 SHA1 (patch-ac) = 0258794cf6f6d22d3355ed01c2cc89c7ee0088d4 SHA1 (patch-ae) = d3d0eeb08083092f717525914c64e72c7ceaa1fd +SHA1 (patch-af) = 544bae557e193f9bbee4dbe1aefa454c38100c69 diff --git a/print/transfig/patches/patch-af b/print/transfig/patches/patch-af new file mode 100644 index 00000000000..ec7cccf5412 --- /dev/null +++ b/print/transfig/patches/patch-af @@ -0,0 +1,52 @@ +$NetBSD: patch-af,v 1.1 2009/12/23 14:19:58 drochner Exp $ + +--- fig2dev/read1_3.c.orig 2003-04-08 22:18:51.000000000 +0000 ++++ fig2dev/read1_3.c +@@ -441,7 +441,7 @@ FILE *fp; + { + F_text *t; + int n; +- char buf[128]; ++ char buf[512]; + + Text_malloc(t); + t->type = T_LEFT_JUSTIFIED; +@@ -451,21 +451,33 @@ FILE *fp; + t->pen = 0; + t->angle = 0.0; + t->next = NULL; +- n = fscanf(fp," %d %lf %d %lf %lf %d %d %[^\n]", &t->font, ++ if (!fgets(buf, sizeof(buf), fp)) { ++ put_msg("Incomplete text data"); ++ free((char *) t); ++ return (NULL); ++ } ++ ++ /* Note using strlen(buf) here will waste a few bytes, as the ++ various text attributes are counted into this length too. */ ++ t->cstring = (char *) calloc((unsigned)(strlen(buf)+1), sizeof(char)); ++ if (t->cstring == NULL) ++ return (NULL); ++ n = sscanf(buf," %d %lf %d %lf %lf %d %d %[^\n]", &t->font, + &t->size, &t->flags, &t->height, &t->length, +- &t->base_x, &t->base_y, buf); ++ &t->base_x, &t->base_y, t->cstring); + if (n != 8) { + put_msg("incomplete text data"); ++ free(t->cstring); + free((char*)t); + return(NULL); + } +- t->cstring = (char *) calloc((unsigned)(strlen(buf)+1), sizeof(char)); +- if (t->cstring == NULL) { ++ ++ if (!strlen(t->cstring)) { ++ free(t->cstring); + put_msg(Err_mem); + free((char*) t); + return(NULL); + } +- (void)strcpy(t->cstring, buf); + if (t->size == 0) t->size = 18; + return(t); + } |