Fix CVE-2025-31162,CVE-2025-31163 and CVE-2025-31164

(cherry picked from commit 44bed95ae11315f3519cd360b026187325d4cd37)

CVE-2025-31162.patch

@@ -0,0 +1,21 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/185/
+https://sourceforge.net/p/mcj/fig2dev/ci/da8992f44b84a337b4edaa67fc8b36b55eaef696/
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -57,12 +57,13 @@
+ 	struct f_comment	*next;
+ } F_comment;
+ 
++#define	STYLE_VAL_MAX	6400.0	/* dash length 80 inches, that is enough */
+ #define COMMON_PROPERTIES(o)						\
+ 	o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE ||		\
+ 	o->thickness < 0 || o->depth < 0 || o->depth > 999 ||		\
+ 	o->fill_style < UNFILLED ||					\
+ 	o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS ||		\
+-	o->style_val < 0.0
++	o->style_val < 0.0 || o->style_val > STYLE_VAL_MAX
+ 
+ typedef struct f_ellipse {
+ 	int			type;

CVE-2025-31163.patch

@@ -0,0 +1,86 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/186/
+https://sourceforge.net/p/mcj/fig2dev/ci/c8a87d22036e62bac0c6f7836078d8103caa6457/
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2023 by Thomas Loimer
++ * Parts Copyright (c) 2015-2025 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -91,10 +91,10 @@ typedef struct f_ellipse {
+ 	struct f_ellipse	*next;
+ } F_ellipse;
+ 
+-#define INVALID_ELLIPSE(e)	\
++#define INVALID_ELLIPSE(e)						\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+-	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
+-	e->radiuses.x == 0 || e->radiuses.y == 0 || \
++	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) ||  \
++	e->radiuses.x == 0 || e->radiuses.y == 0 ||			\
+ 	e->angle < -7. || e->angle > 7.
+ 
+ typedef struct f_arc {
+@@ -121,12 +121,16 @@ typedef struct f_arc {
+ 	struct f_arc		*next;
+ } F_arc;
+ 
+-#define INVALID_ARC(a)	\
++#define COINCIDENT(a, b)	(a.x == b.x && a.y == b.y)
++#define INVALID_ARC(a)							\
+ 	a->type < T_OPEN_ARC || a->type > T_PIE_WEDGE_ARC ||		\
+ 	COMMON_PROPERTIES(a) || a->cap_style < 0 || a->cap_style > 2 ||	\
+ 	a->center.x < COORD_MIN || a->center.x > COORD_MAX ||		\
+ 	a->center.y < COORD_MIN || a->center.y > COORD_MAX ||		\
+-	(a->direction != 0 && a->direction != 1)
++	(a->direction != 0 && a->direction != 1) ||			\
++	COINCIDENT(a->point[0], a->point[1]) ||				\
++	COINCIDENT(a->point[0], a->point[2]) ||				\
++	COINCIDENT(a->point[1], a->point[2])
+ 
+ typedef struct f_line {
+ 	int			type;
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to various Devices
+ dnl Copyright (c) 1991 by Micah Beck
+ dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ dnl Parts Copyright (c) 1989-2015 by Brian V. Smith
+-dnl Parts Copyright (c) 2015-2023 by Thomas Loimer
++dnl Parts Copyright (c) 2015-2025 by Thomas Loimer
+ dnl
+ dnl Any party obtaining a copy of these files is granted, free of charge, a
+ dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -14,7 +14,7 @@ dnl party to do so, with the only requirement being that the above copyright
+ dnl and this permission notice remain intact.
+ 
+ dnl read.at
+-dnl Author: Thomas Loimer, 2017-2020
++dnl Author: Thomas Loimer, 2017-2025
+ 
+ 
+ AT_BANNER([Sanitize and harden input.])
+@@ -237,6 +237,16 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([reject arcs with coincident points, ticket #186])
++AT_KEYWORDS(read.c arc)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++5 1 0 15 0 7 50 0 -1 0.0 1 0 0 0 0.0 0.0 1 1 1 1 2 0
++EOF
++], 1, ignore, [Invalid arc object at line 10.
++])
++AT_CLEANUP
++
+ AT_SETUP([survive debian bugs #881143, #881144])
+ AT_KEYWORDS([font pic tikz])
+ AT_CHECK([fig2dev -L pic <<EOF
+

CVE-2025-31164.patch

@@ -0,0 +1,41 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/184/
+https://sourceforge.net/p/mcj/fig2dev/ci/ff9aba206a30288f456dfc91584a52ba9927b438/
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -1058,6 +1058,14 @@
+ 							line_no);
+ 					return -1;
+ 				}
++				if (l->type == T_ARC_BOX && l->radius == 0) {
++					put_msg("A %s, but zero corner radius "
++							"at line %d - convert "
++							"to a rectangle.",
++							obj_name[l->type - 2],
++							line_no);
++					l->type = T_BOX;
++				}
+ 			}
+ 
+ 		} else { /* T_BOX || T_POLYGON */
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -123,6 +123,17 @@
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([convert an arc-box with zero radius to a box])
++AT_KEYWORDS(read.c arc-box)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++2 4 1 1 0 0 50 -1 -1 4.0 0 0 0 0 0 5
++	0 0 300 0 300 300 0 300 0 0
++EOF
++],0,ignore,[A rectangle with rounded corners, but zero corner radius at line 11 - convert to a rectangle.
++])
++AT_CLEANUP
++
+ AT_SETUP([fail on a malformed arc-box])
+ AT_KEYWORDS(read.c malformed arc-box)
+ AT_CHECK([fig2dev -L pict2e <<EOF

transfig.spec

@@ -1,13 +1,17 @@
 Name:		transfig
 Summary:	Utility for converting FIG files (made by xfig) to other formats
 Version:	3.2.9
-Release:	1
+Release:	2
 Epoch:		1
 License:	MIT
 URL:		https://sourceforge.net/projects/mcj/
 
 Source0:	http://downloads.sourceforge.net/mcj/fig2dev-%{version}.tar.xz
 
+Patch0: 	CVE-2025-31162.patch
+Patch1: 	CVE-2025-31163.patch
+Patch2: 	CVE-2025-31164.patch
+
 Requires:	netpbm-progs ghostscript bc
 
 BuildRequires:  gcc libpng-devel libjpeg-devel libXpm-devel ghostscript
@@ -45,6 +49,9 @@ figures into certain graphics languages.
 %{_mandir}/man1/*.1.gz
 
 %changelog
+* Tue Apr 01 2025 yaoxin <1024769339@qq.com> - 1:3.2.9-2
+- Fix CVE-2025-31162,CVE-2025-31163 and CVE-2025-31164
+
 * Tue Dec 19 2023 Ge Wang <wang__ge@126.com> - 1:3.2.9-1
 - Upgrade transfig to 3.2.9