File transfig-e0c4b024.patch of Package transfig.11759
Based on e0c4b02429116b15ad1568c2c425f06b95b95830 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Sat, 25 Aug 2018 20:46:45 +0200
Subject: [PATCH] Harden input in read.c, fixes tickets #27 and #28
Also fixes issues similar to those described in
https://sourceforge.net/p/mcj/tickets/27 and
https://sourceforge.net/p/mcj/tickets/28.
---
fig2dev/dev/readpcx.c | 2 --
fig2dev/read.c | 47 +++++++++++++++++++++++++++++++++--------------
2 files changed, 33 insertions(+), 16 deletions(-)
--- fig2dev/read.c
+++ fig2dev/read.c 2018-08-30 11:58:35.162677895 +0000
@@ -199,12 +199,23 @@ read_objects(FILE *fp, F_compound *obj)
int object, coord_sys, len;
memset((char*)obj, '\0', COMOBJ_SIZE);
+
(void) fgets(buf, BUF_SIZE, fp); /* get the version line */
+ if (strncmp(buf, "#FIG ", 5)) {
+ put_msg("Incorrect format string in first line of input file.");
+ return -1;
+ }
+
len = strlen(buf);
- if (len > 0)
- buf[len-1] = '\0'; /* remove newline */
- if (buf[len-2] == '\r')
- buf[len-2] = '\0'; /* and any CR (from a PC perhaps) */
+ if (buf[len-1] == '\n') {
+ if (buf[len-2] == '\r')
+ buf[len-2] = '\0';
+ else
+ buf[len-1] = '\0';
+ } else { /* fgets() only stops at newline and end-of-file */
+ put_msg("File is truncated at first line.");
+ return -1;
+ }
/* v2_flag is for version 2 or higher */
v2_flag = (!strncmp(buf, "#FIG 2", 6) || !strncmp(buf, "#FIG 3", 6));
@@ -854,6 +865,8 @@ read_lineobject(FILE *fp)
l->next = NULL;
l->join_style = 0;
l->cap_style = 0; /* butt line cap */
+ l->pic = NULL;
+ l->comments = NULL;
sscanf(buf,"%*d%d",&l->type); /* get the line type */
@@ -920,12 +933,17 @@ read_lineobject(FILE *fp)
note_arrow(type, style);
}
if (l->type == T_PIC_BOX) {
- Pic_malloc(l->pic);
- l->pic->transp = -1;
- if (l->pic == NULL) {
+ if ((Pic_malloc(l->pic)) == NULL) {
free((char *)l);
return NULL;
}
+ l->pic->transp = -1;
+ l->pic->bitmap = NULL;
+#ifdef HAVE_X11_XPM_H
+ /* initialize l->pic->xpmimage by (ab)using a
+ public libxpm-function */
+ XpmCreateXpmImageFromBuffer("", &l->pic->xpmimage, NULL);
+#endif
if (get_line(fp) < 0 || sscanf(buf, "%d %[^\n]",
&l->pic->flipped, file) != 2) {
put_msg(Err_incomp, "Picture object", line_no);
@@ -947,8 +965,7 @@ read_lineobject(FILE *fp)
} else {
strcpy(l->pic->file, file);
}
- } else
- l->pic = NULL;
+ }
if (NULL == (l->points = Point_malloc(p))) {
put_msg(Err_mem);
@@ -1029,6 +1046,7 @@ read_splineobject(FILE *fp)
s->fill_style = 0;
s->for_arrow = NULL;
s->back_arrow = NULL;
+ s->comments = NULL;
s->next = NULL;
if (v30_flag) {
@@ -1200,6 +1218,7 @@ read_textobject(FILE *fp)
Text_malloc(t);
t->font = 0;
t->size = 0.0;
+ t->comments = NULL;
t->next = NULL;
if (v30_flag) { /* order of parms is more like other objects now,
@@ -1391,11 +1410,11 @@ get_line(FILE *fp)
if (*buf == '#') { /* save any comments */
if (save_comment() < 0)
return -1;
- } else if (*buf != '\n') { /* Skip empty lines */
- len = strlen(buf);
- buf[len-1] = '\0'; /* strip trailing newline */
- if (buf[len-2] == '\r')
- buf[len-2] = '\0'; /* strip any trailing CRs */
+ /* skip empty lines */
+ } else if (*buf != '\n' || !(*buf == '\r' && buf[1] == '\n')) {
+ /* remove newline and possibly a carriage return */
+ if (buf[len-1] == '\n')
+ buf[len - (buf[len-2] == '\r' ? 2 : 1)] = '\0';
return 1;
}
}
--- fig2dev/dev/readpcx.c
+++ fig2dev/dev/readpcx.c 2018-08-30 09:47:35.305361829 +0000
@@ -88,8 +88,6 @@ _read_pcx(FILE *pcxfile, F_pic *pic)
fprintf(tfp, "%% Begin Imported PCX File: %s\n\n", pic->file);
pic->subtype = P_PCX;
- pic->bitmap=NULL;
-
fread(&header,1,sizeof(struct pcxhed),pcxfile);
if (header.manuf!=10 || header.encod!=1)
return 0;
