commit dia

31 Mar 2006

Hello community,

here is the log from the commit of package dia
checked in at Fri Mar 31 15:29:57 CEST 2006.

--------

--- GNOME/dia/dia.changes	2006-02-24 13:55:33.000000000 +0100
+++ dia/dia.changes	2006-03-30 17:27:07.000000000 +0200
@@ -1,0 +2,6 @@
+Thu Mar 30 17:26:12 CEST 2006 - sbrabec@suse.cz
+
+- Fixed XFig import buffer overflows (#162074).
+  http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html
+
+-------------------------------------------------------------------

New:
----
  dia-xfig.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ dia.spec ++++++
--- /var/tmp/diff_new_pack.UmIcdE/_old	2006-03-31 15:29:35.000000000 +0200
+++ /var/tmp/diff_new_pack.UmIcdE/_new	2006-03-31 15:29:35.000000000 +0200
@@ -19,7 +19,7 @@
 Autoreqprov:    on
 Summary:        A Diagram Creation Program
 Version:        0.94
-Release:        27
+Release:        33
 Source:         ftp://ftp.gnome.org/pub/GNOME/stable/sources/dia/dia-%{version}.tar.bz2
 Source1:        font-test-japanese.dia
 Source2:        font-test-czech.dia
@@ -32,6 +32,7 @@
 Patch7:         dia-cairo-0.5.patch
 Patch8:         dia-group-props-size.patch
 Patch9:         dia-can-2005-2966.patch
+Patch10:        dia-xfig.patch
 URL:            http://www.gnome.org/projects/dia/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -66,6 +67,9 @@
 %patch7
 %patch8
 %patch9
+cd plug-ins/xfig
+%patch10
+cd ../..
 gnome-patch-translation-update
 cp $RPM_SOURCE_DIR/font-test*dia .
 
@@ -110,6 +114,9 @@
 %prefix/share/pixmaps/*
 
 %changelog -n dia
+* Thu Mar 30 2006 - sbrabec@suse.cz
+- Fixed XFig import buffer overflows (#162074).
+  http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html
 * Fri Feb 24 2006 - sbrabec@suse.cz
 - Improved Categories.
 * Wed Feb 15 2006 - stbinner@suse.de

++++++ dia-xfig.patch ++++++
diff -u /tmp/dia-0.94/plug-ins/xfig/xfig.h ./xfig.h
--- /tmp/dia-0.94/plug-ins/xfig/xfig.h	2004-08-16 09:56:21.000000000 +0200
+++ ./xfig.h	2006-03-29 21:40:15.000000000 +0200
@@ -6,6 +6,7 @@
 
 #define FIG_MAX_DEFAULT_COLORS 32
 #define FIG_MAX_USER_COLORS 512
+#define FIG_MAX_DEPTHS 1000
 /* 1200 PPI */
 #define FIG_UNIT 472.440944881889763779527559055118
 /* 1/80 inch */
diff -u /tmp/dia-0.94/plug-ins/xfig/xfig-import.c ./xfig-import.c
--- /tmp/dia-0.94/plug-ins/xfig/xfig-import.c	2004-08-16 09:56:21.000000000 +0200
+++ ./xfig-import.c	2006-03-29 21:40:21.000000000 +0200
@@ -441,11 +441,17 @@
 static Color
 fig_color(int color_index) 
 {
-    if (color_index == -1) 
+    if (color_index <= -1) 
         return color_black; /* Default color */
-    if (color_index < FIG_MAX_DEFAULT_COLORS) 
+    else if (color_index < FIG_MAX_DEFAULT_COLORS) 
         return fig_default_colors[color_index];
-    else return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
+    else if (color_index < FIG_MAX_USER_COLORS) 
+	return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
+    else {
+	message_error(_("Color index %d too high, only 512 colors allowed. Using black instead."),
+		      color_index);
+	return color_black;
+    }
 }
 
 static Color
@@ -563,23 +569,25 @@
 static int
 fig_read_n_points(FILE *file, int n, Point **points) {
     int i;
-    Point *new_points;
-
-    new_points = (Point*)g_malloc(sizeof(Point)*n);
+    GArray *points_list = g_array_sized_new(FALSE, FALSE, sizeof(Point), n);
 
     for (i = 0; i < n; i++) {
 	int x,y;
+	Point p;
 	if (fscanf(file, " %d %d ", &x, &y) != 2) {
 	    message_error(_("Error while reading %dth of %d points: %s\n"),
 			  i, n, strerror(errno));
-	    free(new_points);
+	    g_array_free(points_list, TRUE);
 	    return FALSE;
 	}
-	new_points[i].x = x/FIG_UNIT;
-	new_points[i].y = y/FIG_UNIT;
+	p.x = x/FIG_UNIT;
+	p.y = y/FIG_UNIT;
+	g_array_append_val(points_list, p);
     }
     fscanf(file, "\n");
-    *points = new_points;
+    
+    *points = (Point *)points_list->data;
+    g_array_free(points_list, FALSE);
     return TRUE;
 }
 
@@ -683,7 +691,7 @@
     return text_buf;
 }
 
-static GList *depths[1000];
+static GList *depths[FIG_MAX_DEPTHS];
 
 /* If there's something in the compound stack, we ignore the depth field,
    as it will be determined by the group anyway */
@@ -693,6 +701,26 @@
    level.  Best we can do now. */
 static int compound_depth;
 
+/** Add an object at a given depth.  This function checks for depth limits
+ * and updates the compound depth if needed.
+ *
+ * @param newobj An object to add.  If we're inside a compound, this
+ * doesn't really add the object.
+ * @param depth A depth as in the Fig format, max 999
+ */
+static void
+add_at_depth(DiaObject *newobj, int depth) {
+    if (depth < 0 || depth >= FIG_MAX_DEPTHS) {
+	message_error(_("Depth %d of of range, only 0-%d allowed.\n"),
+		      depth, FIG_MAX_DEPTHS-1);
+	depth = FIG_MAX_DEPTHS - 1;
+    }
+    if (compound_stack == NULL) 
+	depths[depth] = g_list_append(depths[depth], newobj);
+    else 
+	if (compound_depth > depth) compound_depth = depth;
+}
+
 static DiaObject *
 fig_read_ellipse(FILE *file, DiagramData *dia) {
     int sub_type;
@@ -749,10 +777,7 @@
     /* Angle -- can't rotate yet */
 
     /* Depth field */
-    if (compound_stack == NULL)
-	depths[depth] = g_list_append(depths[depth], newobj);
-    else
-	if (compound_depth > depth) compound_depth = depth;
+    add_at_depth(newobj, depth);
 
     return newobj;
 }
@@ -885,10 +910,7 @@
     /* Cap style */
      
     /* Depth field */
-    if (compound_stack == NULL)
-	depths[depth] = g_list_append(depths[depth], newobj);
-    else
-	if (compound_depth > depth) compound_depth = depth;
+    add_at_depth(newobj, depth);
  exit:
     prop_list_free(props);
     g_free(forward_arrow_info);
@@ -1111,10 +1133,7 @@
     /* Cap style */
      
     /* Depth field */
-    if (compound_stack == NULL)
-	depths[depth] = g_list_append(depths[depth], newobj);
-    else
-	if (compound_depth > depth) compound_depth = depth;
+    add_at_depth(newobj, depth);
  exit:
     prop_list_free(props);
     g_free(forward_arrow_info);
@@ -1202,10 +1221,7 @@
     /* Cap style */
      
     /* Depth field */
-    if (compound_stack == NULL)
-	depths[depth] = g_list_append(depths[depth], newobj);
-    else
-	if (compound_depth > depth) compound_depth = depth;
+    add_at_depth(newobj, depth);
 
  exit:
     g_free(forward_arrow_info);
@@ -1298,10 +1314,7 @@
     newobj->ops->set_props(newobj, props);
     
     /* Depth field */
-    if (compound_stack == NULL)
-	depths[depth] = g_list_append(depths[depth], newobj);
-    else
-	if (compound_depth > depth) compound_depth = depth;
+    add_at_depth(newobj, depth);
 
  exit:
     if (text_buf != NULL) free(text_buf);
@@ -1347,6 +1360,12 @@
 	    return FALSE;
 	}
 
+	if (colornumber < 32 || colornumber > FIG_MAX_USER_COLORS) {
+	    message_error(_("Color number %d out of range 0..%d.  Discarding color.\n"),
+			  colornumber, FIG_MAX_USER_COLORS);
+	    return FALSE;
+	}
+
 	color.red = ((colorvalues & 0x00ff0000)>>16) / 255.0;
 	color.green = ((colorvalues & 0x0000ff00)>>8) / 255.0;
 	color.blue = (colorvalues & 0x000000ff) / 255.0;
@@ -1393,7 +1412,7 @@
 	}
 	/* Group extends don't really matter */
 	if (compound_stack == NULL)
-	    compound_depth = 999;
+	    compound_depth = FIG_MAX_DEPTHS - 1;
 	compound_stack = g_slist_append(compound_stack, NULL);
 	return TRUE;
 	break;
@@ -1551,7 +1570,7 @@
     for (i = 0; i < FIG_MAX_USER_COLORS; i++) {
 	fig_colors[i] = color_black;
     }
-    for (i = 0; i < 1000; i++) {
+    for (i = 0; i < FIG_MAX_DEPTHS; i++) {
 	depths[i] = NULL;
     }
 
@@ -1606,7 +1625,7 @@
     } while (TRUE);
 
     /* Now we can reorder for the depth fields */
-    for (i = 0; i < 1000; i++) {
+    for (i = 0; i < FIG_MAX_DEPTHS; i++) {
 	if (depths[i] != NULL)
 	    layer_add_objects_first(dia->active_layer, depths[i]);
     }




++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

    

commit dia

root＠suse.de