[pkgsrc/trunk]: pkgsrc/graphics/xfig add a patch from

[drochner <drochner%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/bdce1624eb88
branches:  trunk
changeset: 568887:bdce1624eb88
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Wed Dec 23 14:21:48 2009 +0000

description:
add a patch from
https://bugzilla.redhat.com/show_bug.cgi?id=543905
to fix CVE-2009-4227
(Stack-based buffer overflow by loading malformed .FIG files)

diffstat:

 graphics/xfig/Makefile         |   4 +-
 graphics/xfig/distinfo         |   3 +-
 graphics/xfig/patches/patch-an |  53 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 57 insertions(+), 3 deletions(-)

diffs (85 lines):

diff -r 0a304217f481 -r bdce1624eb88 graphics/xfig/Makefile
--- a/graphics/xfig/Makefile    Wed Dec 23 14:19:58 2009 +0000
+++ b/graphics/xfig/Makefile    Wed Dec 23 14:21:48 2009 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.59 2009/11/30 13:50:38 itohy Exp $
+# $NetBSD: Makefile,v 1.60 2009/12/23 14:21:48 drochner Exp $
 
 DISTNAME=      xfig.3.2.5b.full
 PKGNAME=       xfig-3.2.5b
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    graphics
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=mcj/}
 
diff -r 0a304217f481 -r bdce1624eb88 graphics/xfig/distinfo
--- a/graphics/xfig/distinfo    Wed Dec 23 14:19:58 2009 +0000
+++ b/graphics/xfig/distinfo    Wed Dec 23 14:21:48 2009 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2009/11/04 15:34:08 gdt Exp $
+$NetBSD: distinfo,v 1.22 2009/12/23 14:21:48 drochner Exp $
 
 SHA1 (xfig.3.2.5b.full.tar.gz) = 0730d7e6bc217c0de02682efb0078821512bb542
 RMD160 (xfig.3.2.5b.full.tar.gz) = aad4cfd808c116d34218e9890a898652e4f52ab6
@@ -13,3 +13,4 @@
 SHA1 (patch-ak) = fcc358a595590ea3136d71bd9f61449d54914c46
 SHA1 (patch-al) = ca20d3ec7bcf2ac24fd0a415495f805add23142d
 SHA1 (patch-am) = 72adbda34425fda49f2072a3d40a3d942e07e1ba
+SHA1 (patch-an) = 4bfce8dbd420bc4b4d8efa5b01a39e3a9ce03ca6
diff -r 0a304217f481 -r bdce1624eb88 graphics/xfig/patches/patch-an
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/xfig/patches/patch-an    Wed Dec 23 14:21:48 2009 +0000
@@ -0,0 +1,53 @@
+$NetBSD: patch-an,v 1.1 2009/12/23 14:21:48 drochner Exp $
+
+--- f_readold.c.orig   2007-03-29 00:23:14.000000000 +0000
++++ f_readold.c
+@@ -471,7 +471,7 @@ read_1_3_textobject(FILE *fp)
+     F_text       *t;
+     int                   n;
+     int                   dum;
+-    char          buf[128];
++    char          buf[512];
+     PR_SIZE       tx_dim;
+ 
+     if ((t = create_text()) == NULL)
+@@ -485,22 +485,34 @@ read_1_3_textobject(FILE *fp)
+     t->pen_style = -1;
+     t->angle = 0.0;
+     t->next = NULL;
++    if (!fgets(buf, sizeof(buf), fp)) {
++      file_msg("Incomplete text data");
++      free((char *) t);
++      return (NULL);
++    }
++
++    /* Note using strlen(buf) here will waste a few bytes, as the
++       various text attributes are counted into this length too. */
++    if ((t->cstring = new_string(strlen(buf))) == NULL)
++        return (NULL);
++
+     /* ascent and length will be recalculated later */
+-    n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
++    n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
+               &t->font, &dum, &dum, &t->ascent, &t->length,
+-              &t->base_x, &t->base_y, buf);
++              &t->base_x, &t->base_y, t->cstring);
+     if (n != 8) {
+       file_msg("Incomplete text data");
++      free(t->cstring);
+       free((char *) t);
+       return (NULL);
+     }
+-    if ((t->cstring = new_string(strlen(buf))) == NULL) {
++
++    if (!strlen(t->cstring)) {
++      free(t->cstring);
+       free((char *) t);
+       file_msg("Empty text string at line %d.", line_no);
+       return (NULL);
+     }
+-    /* put string in structure */
+-    strcpy(t->cstring, buf);
+ 
+     /* get the font struct */
+     t->zoom = zoomscale;