update to 2.44.1

2020-07-24 09:56:51 +08:00 · 2020-07-24 09:56:51 +08:00 · bdc570b1ab
commit bdc570b1ab
parent 651d365495
8 changed files with 7 additions and 296 deletions
--- a/CVE-2019-11023.patch
+++ b/CVE-2019-11023.patch
@ -1,131 +0,0 @@
 From 839085f8026afd6f6920a0c31ad2a9d880d97932 Mon Sep 17 00:00:00 2001
 From: Stephen C North <scnorth@gmail.com>
 Date: Tue, 9 Apr 2019 12:38:23 -0400
 Subject: [PATCH] attempted fix for null pointer deference on malformed input
 ---
 cmd/tools/graphml2gv.c | 36 +++++++++++++++++++++---------------
 lib/cgraph/grammar.y   |  8 ++++++++
 lib/cgraph/obj.c       |  2 ++
 3 files changed, 31 insertions(+), 15 deletions(-)
 diff --git a/cmd/tools/graphml2gv.c b/cmd/tools/graphml2gv.c
 index f4798089e..b9fc9730c 100644
 --- a/cmd/tools/graphml2gv.c
 +++ b/cmd/tools/graphml2gv.c
@@ -468,8 +468,10 @@ startElementHandler(void *userData, const char *name, const char **atts)
 	if (pos > 0) {
 	    const char *attrname;
 	    attrname = atts[pos];
 -
 -	    bind_node(attrname);
 +            if (G == 0)
 +                fprintf(stderr,"node %s outside graph, ignored\n",attrname);
 +	    else
 +                bind_node(attrname);
 	    pushString(&ud->elements, attrname);
 	}
@@ -495,21 +497,25 @@ startElementHandler(void *userData, const char *name, const char **atts)
 	if (tname)
 	    head = tname;
 -	bind_edge(tail, head);
 +        if (G == 0)
 +            fprintf(stderr,"edge source %s target %s outside graph, ignored\n",(char*)tail,(char*)head);
 +        else {
 +            bind_edge(tail, head);
 -	t = AGTAIL(E);
 -	tname = agnameof(t);
 +            t = AGTAIL(E);
 +	    tname = agnameof(t);
 -	if (strcmp(tname, tail) == 0) {
 -	    ud->edgeinverted = FALSE;
 -	} else if (strcmp(tname, head) == 0) {
 -	    ud->edgeinverted = TRUE;
 -	}
 +	    if (strcmp(tname, tail) == 0) {
 +	        ud->edgeinverted = FALSE;
 +	    } else if (strcmp(tname, head) == 0) {
 +	        ud->edgeinverted = TRUE;
 +	    }
 -	pos = get_xml_attr("id", atts);
 -	if (pos > 0) {
 -	    setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
 -	}
 +	    pos = get_xml_attr("id", atts);
 +	    if (pos > 0) {
 +	        setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
 +	    }
 +        }
     } else {
 	/* must be some extension */
 	fprintf(stderr,
@@ -530,7 +536,7 @@ static void endElementHandler(void *userData, const char *name)
 	char *ele_name = topString(ud->elements);
 	if (ud->closedElementType == TAG_GRAPH) {
 	    Agnode_t *node = agnode(root, ele_name, 0);
 -	    agdelete(root, node);
 +	    if (node) agdelete(root, node);
 	}
 	popString(&ud->elements);
 	Current_class = TAG_GRAPH;
 diff --git a/lib/cgraph/grammar.y b/lib/cgraph/grammar.y
 index 90aa27387..127a7241a 100644
 --- a/lib/cgraph/grammar.y
 +++ b/lib/cgraph/grammar.y
@@ -22,6 +22,7 @@ extern void yyerror(char *);	/* gets mapped to aagerror, see below */
 #endif
 static char Key[] = "key";
 +static int SubgraphDepth = 0;
 typedef union s {					/* possible items in generic list */
 		Agnode_t		*n;
@@ -542,6 +543,7 @@ static void startgraph(char *name, int directed, int strict)
 	static Agdesc_t	req;	/* get rid of warnings */
 	if (G == NILgraph) {
 +    SubgraphDepth = 0;
 		req.directed = directed;
 		req.strict = strict;
 		req.maingraph = TRUE;
@@ -562,6 +564,11 @@ static void endgraph()
 static void opensubg(char *name)
 {
 +  if (++SubgraphDepth >= YYMAXDEPTH/2) {
 +    char buf[128];
 +    sprintf(buf,"subgraphs nested more than %d deep",YYMAXDEPTH);
 +    agerr(AGERR,buf);
 +  }
 	S = push(S,agsubg(S->g,name,TRUE));
 	agstrfree(G,name);
 }
@@ -569,6 +576,7 @@ static void opensubg(char *name)
 static void closesubg()
 {
 	Agraph_t *subg = S->g;
 +  --SubgraphDepth;
 	S = pop(S);
 	S->subg = subg;
 	assert(subg);
 diff --git a/lib/cgraph/obj.c b/lib/cgraph/obj.c
 index 7b1c8c101..709774e3d 100644
 --- a/lib/cgraph/obj.c
 +++ b/lib/cgraph/obj.c
@@ -168,6 +168,8 @@ void agdelcb(Agraph_t * g, void *obj, Agcbstack_t * cbstack)
 Agraph_t *agroot(void* obj)
 {
 +    // fixes CVE-2019-11023 by moving the problem to the caller :-)
 +    if (obj == 0) return NILgraph; 
     switch (AGTYPE(obj)) {
     case AGINEDGE:
     case AGOUTEDGE:
 -- 
 2.21.0
--- a/elimination-define-difference.patch
+++ b/elimination-define-difference.patch
@ -1,32 +0,0 @@
 /lib/sfio/features/sfio b/lib/sfio/features/sfio
 --- a/lib/sfio/features/sfio	2018-01-01 00:00:00.000000000 +0000
 +++ b/lib/sfio/features/sfio	2018-01-01 00:00:00.000000000 +0000
@@ -89,7 +89,7 @@ lib memchr note{ see if memchr is fast }
 		t2 = (etm2.tms_utime - stm2.tms_utime) +
 		     (etm2.tms_stime - stm2.tms_stime);
 -		return t1 < t2 ? 0 : 1;
 +		return 1;
 	}
 }end
@@ -130,7 +130,7 @@ lib memccpy note{ see if memccpy is fast
 		t2 = (etm2.tms_utime - stm2.tms_utime) +
 		     (etm2.tms_stime - stm2.tms_stime);
 -		return t1 < t2 ? 0 : 1;
 +		return 1;
 	}
 }end
@@ -260,10 +260,6 @@ tst	output{
 		unlink(file);
 -		if(4*mmtm <= 3*rdtm)		/* mmap is great! */
 -			printf("#define _mmap_worthy	2	\n");
 -		else if(4*mmtm <= 5*rdtm)	/* mmap is good	*/
 -			printf("#define _mmap_worthy	1	\n");
 		return 0;
 	}
--- a/graphviz-2.40.1-CVE-2018-10196.patch
+++ b/graphviz-2.40.1-CVE-2018-10196.patch
@ -1,16 +0,0 @@
 diff --git a/lib/dotgen/conc.c b/lib/dotgen/conc.c
 --- a/lib/dotgen/conc.c
 +++ b/lib/dotgen/conc.c
@@ -159,7 +159,11 @@ static void rebuild_vlists(graph_t * g)
     for (r = GD_minrank(g); r <= GD_maxrank(g); r++) {
 	lead = GD_rankleader(g)[r];
 -	if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) {
 +	if (lead == NULL) {
 +		agerr(AGERR, "rebuiltd_vlists: lead is null for rank %d\n", r);
 +		longjmp(jbuf, 1);
 +	}
 +	else if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) {
 	    agerr(AGERR, "rebuiltd_vlists: rank lead %s not in order %d of rank %d\n", 
 		agnameof(lead), ND_order(lead), r);
 	    longjmp(jbuf, 1);
--- a/graphviz-2.40.1-dotty-menu-fix.patch
+++ b/graphviz-2.40.1-dotty-menu-fix.patch
@ -1,22 +0,0 @@
 diff --git a/cmd/dotty/dotty_ui.lefty b/cmd/dotty/dotty_ui.lefty
 index a8c9116..a708c61 100644
 --- a/cmd/dotty/dotty_ui.lefty
 +++ b/cmd/dotty/dotty_ui.lefty
@@ -342,7 +342,7 @@ dotty.protovt.normal.uifuncs = [
         else
             gt.insertedge (gt, data.pobj, null, data.obj, null, null, 1);
     };
 -    'rightdown' = function (data) {
 +    'rightup' = function (data) {
         local vt, gt, menu, i;
         vt = dotty.views[data.widget];
@@ -447,7 +447,7 @@ dotty.protovt.birdseye.uifuncs = [
     'middledown' = dotty.protovt.normal.uifuncs.middledown;
     'middlemove' = dotty.protovt.normal.uifuncs.middlemove;
     'middleup' = dotty.protovt.normal.uifuncs.middleup;
 -    'rightdown' = dotty.protovt.normal.uifuncs.rightdown;
 +    'rightup' = dotty.protovt.normal.uifuncs.rightup;
     'keyup' = dotty.protovt.normal.uifuncs.keyup;
     'redraw' = dotty.protovt.normal.uifuncs.redraw;
     'closeview' = dotty.protovt.normal.uifuncs.closeview;
--- a/graphviz-2.40.1-python3.patch
+++ b/graphviz-2.40.1-python3.patch
@ -1,56 +0,0 @@
 diff --git a/config/config_python.py b/config/config_python.py
 index b747045..2b1ac8d 100644
 --- a/config/config_python.py
 +++ b/config/config_python.py
@@ -1,12 +1,13 @@
 +from __future__ import print_function
 +
 import sys
 from distutils import sysconfig
 if sys.argv[1] == "archlib":
 -    print sysconfig.get_python_lib(1,1)
 +    print(sysconfig.get_python_lib(1,1))
 elif sys.argv[1] == "lib":
 -    print sysconfig.get_python_lib(0,1)
 +    print(sysconfig.get_python_lib(0,1))
 elif sys.argv[1] == "archsitelib":
 -    print sysconfig.get_python_lib(1,0)
 +    print(sysconfig.get_python_lib(1,0))
 elif sys.argv[1] == "sitelib":
 -    print sysconfig.get_python_lib(0,0)
 -
 +    print(sysconfig.get_python_lib(0,0))
 diff --git a/configure.ac b/configure.ac
 index 51166c3..0f18965 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -1142,7 +1142,7 @@ else
     if test `$SWIG -help 2>&1 | $EGREP -c '\-python *- Generate'` = 0; then
       use_python="No (swig does not support -python option)"
     else
 -      AC_CHECK_PROG(PYTHON,python,python)
 +      AC_CHECK_PROGS(PYTHON,[python3 python])
       if test "x$PYTHON" = "x"; then
         use_python="No (python not available)"
       else
@@ -1167,8 +1167,8 @@ else
       if test "x$PYTHON" = "x"; then
 	use_python="No (python is too old)"
       else
 -        PYTHON_PREFIX=`$PYTHON -c "import sys; print sys.prefix"`
 -        PYTHON_INCLUDES=-I$PYTHON_PREFIX/include/python$PYTHON_VERSION_SHORT
 +        PYTHON_PREFIX=`$PYTHON -c "import sys; print(sys.prefix)"`
 +        PYTHON_INCLUDES=`$PYTHON-config --includes`
 #        PYTHON_LIBS="-lpython$PYTHON_VERSION_SHORT"
 	PYTHON_LIBS="-undefined dynamic_lookup"
         PYTHON_INSTALL_DIR="`$PYTHON $srcdir/config/config_python.py archsitelib`"
@@ -1548,7 +1548,7 @@ else
       if test "x$PYTHON34" = "x"; then
 	    use_python34="No (python34 is too old)"
       else
 -        PYTHON34_PREFIX=`$PYTHON3 -c "import sys; print sys.prefix"`
 +        PYTHON34_PREFIX=`$PYTHON3 -c "import sys; print(sys.prefix)"`
 #        PYTHON34_INCLUDES=-I$PYTHON34_PREFIX/include/python$PYTHON34_VERSION_SHORT
 # FIXME - whats the stupid "m" for?
         PYTHON34_INCLUDES=-I/usr/include/python3.4m
--- a/graphviz-2.40.1-visio.patch
+++ b/graphviz-2.40.1-visio.patch
@ -1,25 +0,0 @@
 diff --git a/plugin/visio/VisioGraphic.cpp b/plugin/visio/VisioGraphic.cpp
 index 303eac0..14e377c 100644
 --- a/plugin/visio/VisioGraphic.cpp
 +++ b/plugin/visio/VisioGraphic.cpp
@@ -29,6 +29,8 @@
 #define isfinite(x) finite(x)
 #endif
 +#include <cstdlib>
 +
 #include "VisioGraphic.h"
 #include "gvcjob.h"
 diff --git a/plugin/visio/VisioText.cpp b/plugin/visio/VisioText.cpp
 index 635806c..3c6441a 100644
 --- a/plugin/visio/VisioText.cpp
 +++ b/plugin/visio/VisioText.cpp
@@ -17,6 +17,7 @@
 #include "gvcjob.h"
 #include "gvio.h"
 +#include <cstdlib>
 #include <string.h>
 extern "C" char *xml_string(char* str);
--- a/graphviz-2.44.1.tar.gz
+++ b/graphviz-2.44.1.tar.gz
--- a/graphviz.spec
+++ b/graphviz.spec
@ -15,22 +15,12 @@
 Name:               graphviz
-Version:            2.40.1
+Version:            2.44.1
-Release:            39
+Release:            1
 Summary:            Graph Visualization Tools
 License:            EPL
 URL:                http://www.graphviz.org/
-Source0:            https://gitlab.com/graphviz/graphviz/-/archive/stable_release_%{version}/graphviz.tar.gz
+Source0:            https://gitlab.com/graphviz/graphviz/-/archive/%{version}/graphviz-%{version}.tar.gz
 Patch0:             graphviz-2.40.1-visio.patch
 Patch1:             graphviz-2.40.1-python3.patch
 Patch2:             graphviz-2.40.1-CVE-2018-10196.patch
 Patch3:             graphviz-2.40.1-dotty-menu-fix.patch
 Patch6000:          CVE-2019-11023.patch
 Patch9000:          elimination-define-difference.patch
 BuildRequires:      ksh bison m4 flex ruby automake perl-Carp autoconf libtool qpdf ocaml urw-base35-fonts, perl-ExtUtils-Embed, perl-generators, librsvg2-devel swig >= 1.3.33
 BuildRequires:      zlib-devel libpng-devel libjpeg-devel expat-devel tk-devel fontconfig-devel libtool-ltdl-devel ruby-devel guile-devel freetype-devel >= 2 tcl-devel >= 8.3
@ -321,6 +311,9 @@ php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/
 %changelog
 * Fri Jul 24 2020 hanhui <hanhui15@huawei.com> - 2.44.1-1
 - update to 2.44.1
 * Tue Jun 23 2020 xinghe <xinghe1@huawei.com> - 2.40.1-39
 - Type:bugfix
 - ID:NA
@ -334,4 +327,4 @@ php --no-php-ini --define extension_dir=$RPM_BUILD_ROOT%{_libdir}/graphviz/php/
 - DESC:optimization the spec
 * Thu Sep 19 2019 hufeng <solar.hu@huawei.com> - 2.40.1-37
-Create spec
+-Create spec