Fix CVE-2025-46397,CVE-2025-46398,CVE-2025-46399 and CVE-2025-46400

(cherry picked from commit 4b566e23152cd652f6ff32a9c55d5adc2cf366b9)
2025-04-29 14:13:33 +08:00 · 2025-04-29 14:13:33 +08:00 · 817bc7b6e3
commit 817bc7b6e3
parent 69729c7522
6 changed files with 264 additions and 1 deletions
--- a/CVE-2025-46397.patch
+++ b/CVE-2025-46397.patch
@ -0,0 +1,49 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/192/
+https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b661b506a463a669754ed635b0a8eb67580e/
+
+--- a/fig2dev/read.c	2025-04-29 13:52:18.589400762 +0800
+++ b/fig2dev/read.c	2025-04-29 13:55:48.807400762 +0800
+@@ -1539,9 +1539,11 @@
+ 			free_splinestorage(s);
+ 			return NULL;
+ 		}
+-		if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN ||
+-				ly > INT_MAX || rx < INT_MIN || rx > INT_MAX ||
+-				ry < INT_MIN || ry > INT_MAX) {
+		if (		!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
+				!isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
+				!isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
+				!isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
+		{
+ 			/* do not care to clean up, we exit anyway
+ 			   cp->next = NULL;
+ 			   free_splinestorage(s);	*/
+--- a/fig2dev/tests/read.at     2025-04-29 14:02:20.618400762 +0800
+++ b/fig2dev/tests/read.at     2025-04-29 14:03:13.226400762 +0800
+@@ -595,6 +595,25 @@
+ ])
+ AT_CLEANUP
+
+AT_SETUP([reject nan in spline controls values, #192])
+AT_KEYWORDS([read.c])
+# Use an output language that does not natively support Bezier splines.
+# Otherwise, the huge values are simply copied to the output.
+AT_CHECK([fig2dev -L epic <<EOF
+#FIG 3.1
+Landscape
+Center
+Metric
+1200 2
+3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2
+        0 0 1200 0
+        600 600 600 nan
+        600 600 600 600
+EOF
+], 1, ignore, [Spline control points out of range at line 8.
+])
+AT_CLEANUP
+
+ AT_BANNER([Dynamically allocate picture file name.])
+
+ AT_SETUP([prepend fig file path to picture file name])
--- a/CVE-2025-46398.patch
+++ b/CVE-2025-46398.patch
@ -0,0 +1,25 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/191/
+https://sourceforge.net/p/mcj/fig2dev/ci/5f22009dba73922e98d49c0096cece8b215cd45b/
+
+--- a/fig2dev/read.c
+++ b/fig2dev/read.c
+@@ -190,7 +190,8 @@
+ 	}
+ 
+ 	/* check for embedded '\0' */
+-	if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
+	if (*buf == '\0' || (strlen(buf) < sizeof buf - 1 &&
+			buf[strlen(buf) - 1] != '\n')) {
+ 		put_msg("ASCII NUL ('\\0') character within the first line.");
+ 		exit(EXIT_FAILURE);
+ 	/* seek to the end of the first line
+@@ -239,7 +240,7 @@
+ 		   the encoding given in the file */
+ 		if (!input_encoding && !strcmp(buf, "encoding: UTF-8\n")) {
+ 			input_encoding = "UTF-8";
+-		} else if (buf[strlen(buf) - 1] != '\n') {
+		} else if (*buf == '\0' || buf[strlen(buf) - 1] != '\n') {
+ 			/* seek forward to the end of the line;
+ 			   comments here are not mentioned by the
+ 			   specification, thus ignore this comment */
--- a/CVE-2025-46399.patch
+++ b/CVE-2025-46399.patch
@ -0,0 +1,23 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/190/
+https://sourceforge.net/p/mcj/fig2dev/ci/2bd6c0b210916d0d3ca81f304535b5af0849aa93/
+
+--- a/fig2dev/dev/genge.c	2025-04-29 14:04:55.185400762 +0800
+++ b/fig2dev/dev/genge.c	2025-04-29 14:06:40.765400762 +0800
+@@ -229,8 +229,6 @@
+ 	int		 xmin, ymin;
+ 
+ 	a = s->controls;
+-
+-	a = s->controls;
+ 	p = s->points;
+ 	/* go through the points to find the last two */
+ 	for (q = p->next; q != NULL; p = q, q = q->next) {
+@@ -238,6 +236,7 @@
+ 	    a = b;
+ 	}
+ 
+	a = s->controls;
+ 	p = s->points;
+ 	fprintf(tfp, "n %d %d m\n", p->x, p->y);
+ 	xmin = 999999;
--- a/CVE-2025-46400-1.patch
+++ b/CVE-2025-46400-1.patch
@ -0,0 +1,48 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/187/
+https://sourceforge.net/p/mcj/fig2dev/ci/1e5515a1ea2ec8651cf85ab5000d026bb962492a/
+
+--- a/fig2dev/dev/genpict2e.c
+++ b/fig2dev/dev/genpict2e.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2023 by Thomas Loimer
+ * Parts Copyright (c) 2015-2025 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -19,7 +19,7 @@
+ /*
+  * genpict2e.c: convert fig to pict2e macro language for LaTeX
+  *
+- * Author: Thomas Loimer, 2014-2023
+ * Author: Thomas Loimer, 2014-2025
+  * Based on the latex picture driver, genlatex.c
+  *
+  */
+@@ -2277,8 +2277,13 @@
+ 	l->join_style = MITERJOIN;
+ 
+ 	p = l->points;
+-	if (p == NULL)
+	for (i = 0; i < 8 && p != NULL; ++i)
+		p = p->next;
+	/* If the radius is about 1, the spline may consist of
+	   a few points only. */
+	if (i < 7)
+ 		return;
+	p = l->points;
+ 
+ 	/*
+ 	 * Walk along the spline, until the arc angle is covered.
+@@ -2428,7 +2433,7 @@
+ 	rad = 0.5*(sqrt((double)d1x*d1x + (double)d1y*d1y)
+ 			+ sqrt((double)d2x*d2x + (double)d2y*d2y));
+ 	rad = round(rad*10.0) / 10.0;
+-	/* how precise must the angle be given? 
+	/* how precise must the angle be given?
+ 	   1/rad is the view angle of one pixel */
+ 	da = 180.0 / M_PI / rad;
+ 	preca = 0;
--- a/CVE-2025-46400-2.patch
+++ b/CVE-2025-46400-2.patch
@ -0,0 +1,110 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/187/
+https://sourceforge.net/p/mcj/fig2dev/ci/c4465e0d9af89d9738aad31c2d0873ac1fa03c96/
+
+--- a/fig2dev/dev/genpict2e.c
+++ b/fig2dev/dev/genpict2e.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2025 by Thomas Loimer
+ * Parts Copyright (c) 2015-2023 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -19,7 +19,7 @@
+ /*
+  * genpict2e.c: convert fig to pict2e macro language for LaTeX
+  *
+- * Author: Thomas Loimer, 2014-2025
+ * Author: Thomas Loimer, 2014-2023
+  * Based on the latex picture driver, genlatex.c
+  *
+  */
+@@ -2277,13 +2277,8 @@
+ 	l->join_style = MITERJOIN;
+ 
+ 	p = l->points;
+-	for (i = 0; i < 8 && p != NULL; ++i)
+-		p = p->next;
+-	/* If the radius is about 1, the spline may consist of
+-	   a few points only. */
+-	if (i < 7)
+	if (p == NULL)
+ 		return;
+-	p = l->points;
+ 
+ 	/*
+ 	 * Walk along the spline, until the arc angle is covered.
+@@ -2433,7 +2428,7 @@
+ 	rad = 0.5*(sqrt((double)d1x*d1x + (double)d1y*d1y)
+ 			+ sqrt((double)d2x*d2x + (double)d2y*d2y));
+ 	rad = round(rad*10.0) / 10.0;
+-	/* how precise must the angle be given?
+	/* how precise must the angle be given? 
+ 	   1/rad is the view angle of one pixel */
+ 	da = 180.0 / M_PI / rad;
+ 	preca = 0;
+--- a/fig2dev/object.h
+++ b/fig2dev/object.h
+@@ -92,11 +92,14 @@
+ 	struct f_ellipse	*next;
+ } F_ellipse;
+ 
+#define RADIUS2_MIN	9
+ #define INVALID_ELLIPSE(e)						\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+ 	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) ||  \
+ 	e->radiuses.x == 0 || e->radiuses.y == 0 ||			\
+	e->radiuses.x + e->radiuses.y < RADIUS2_MIN ||			\
+ 	e->angle < -7. || e->angle > 7.
+	/* radiuses are set to positive in read.c */
+ 
+ typedef struct f_arc {
+ 	int			type;
+@@ -135,7 +138,10 @@
+ 	(a->direction != 0 && a->direction != 1) ||			\
+ 	COINCIDENT(a->point[0], a->point[1]) ||				\
+ 	COINCIDENT(a->point[0], a->point[2]) ||				\
+-	COINCIDENT(a->point[1], a->point[2])
+	COINCIDENT(a->point[1], a->point[2]) ||				\
+	(a->point[0].x - a->center.x) * (a->point[0].x - a->center.x) +	\
+	(a->point[0].y - a->center.y) * (a->point[0].y - a->center.y) <	\
+	RADIUS2_MIN
+ 
+ typedef struct f_line {
+ 	int			type;
+--- a/fig2dev/read1_3.c
+++ b/fig2dev/read1_3.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2022 by Thomas Loimer
+ * Parts Copyright (c) 2015-2025 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -156,8 +156,10 @@
+ 	a->pen_color = a->fill_color = BLACK_COLOR;
+ 	a->depth = 0;
+ 	a->pen = 0;
+	a->fill_style = 0;
+ 	a->for_arrow = NULL;
+ 	a->back_arrow = NULL;
+	a->cap_style = 0;
+ 	a->comments = NULL;
+ 	a->next = NULL;
+ 	n = fscanf(fp,
+@@ -328,6 +330,10 @@
+ 		e->type = T_CIRCLE_BY_RAD;
+ 	else
+ 		e->type = T_CIRCLE_BY_DIA;
+	if (e->radiuses.x < 0)
+		e->radiuses.x *= -1;
+	if (e->radiuses.y < 0)
+		e->radiuses.y *= -1;
+ 	if (INVALID_ELLIPSE(e)) {
+ 		put_msg(Err_invalid, "ellipse");
+ 		free(e);
--- a/transfig.spec
+++ b/transfig.spec
@ -1,7 +1,7 @@
 Name:		transfig
 Summary:	Utility for converting FIG files (made by xfig) to other formats
 Version:	3.2.9
-Release:	2
+Release:	3
 Epoch:		1
 License:	MIT
 URL:		https://sourceforge.net/projects/mcj/
@ -11,6 +11,11 @@ Source0:	http://downloads.sourceforge.net/mcj/fig2dev-%{version}.tar.xz
 Patch0: 	CVE-2025-31162.patch
 Patch1: 	CVE-2025-31163.patch
 Patch2: 	CVE-2025-31164.patch
+Patch3: 	CVE-2025-46397.patch
+Patch4: 	CVE-2025-46398.patch
+Patch5: 	CVE-2025-46399.patch
+Patch6: 	CVE-2025-46400-1.patch
+Patch7: 	CVE-2025-46400-2.patch

 Requires:	netpbm-progs ghostscript bc

@ -49,6 +54,9 @@ figures into certain graphics languages.
 %{_mandir}/man1/*.1.gz

 %changelog
+* Tue Apr 29 2025 yaoxin <1024769339@qq.com> - 1:3.2.9-3
+- Fix CVE-2025-46397,CVE-2025-46398,CVE-2025-46399 and CVE-2025-46400
+
 * Tue Apr 01 2025 yaoxin <1024769339@qq.com> - 1:3.2.9-2
 - Fix CVE-2025-31162,CVE-2025-31163 and CVE-2025-31164