Commit e6ce8b0c authored by Ariadne Conill's avatar Ariadne Conill 🐰
Browse files

main/graphviz: add mitigation for CVE-2020-18032

parent dadd3452
......@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <>
pkgdesc="Graph Visualization Tools"
......@@ -20,8 +20,13 @@ subpackages="$pkgname-dev $pkgname-doc py3-gv:_py3 lua$_luaver-$pkgname:_lua
# secfixes:
# 2.42.3-r1:
# - CVE-2020-18032
prepare() {
......@@ -112,5 +117,8 @@ graphs() {
sha512sums="e03ca6da0ddb1162bd179d159d7dbb379d55012d63bb922aa800260fce52b65beb1a9b5ca1a5199ad3537201b0b4841efc9facee6e03065c6bd02e840f8a29c9 graphviz-2.42.3.tar.gz
aa4cbc341906a949a6bf78cadd96c437d6bcc90369941fe03519aa4447731ecbf6063a0dd0366d3e7aaadf22b69e4bcab3f8632a7da7a01f8e08a3be05c2bc5d 0001-clone-nameclash.patch"
e03ca6da0ddb1162bd179d159d7dbb379d55012d63bb922aa800260fce52b65beb1a9b5ca1a5199ad3537201b0b4841efc9facee6e03065c6bd02e840f8a29c9 graphviz-2.42.3.tar.gz
aa4cbc341906a949a6bf78cadd96c437d6bcc90369941fe03519aa4447731ecbf6063a0dd0366d3e7aaadf22b69e4bcab3f8632a7da7a01f8e08a3be05c2bc5d 0001-clone-nameclash.patch
d4b818a3349a1c733177db0d4455004d47670ef1f07a670428d7c025edd6604e8342ff6906faa48abdd8e4abc0c42feb58cb1fdf116ae98fade5dbcb965d0843 CVE-2020-18032.patch
From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001
From: Matthew Fernandez <>
Date: Sat, 25 Jul 2020 19:31:01 -0700
Subject: [PATCH] fix: out-of-bounds write on invalid label
When the label for a node cannot be parsed (due to it being malformed), it falls
back on the symbol name of the node itself. I.e. the default label the node
would have had if it had no label attribute at all. However, this is applied by
dynamically altering the node's label to "\N", a shortcut for the symbol name of
the node. All of this is fine, however if the hand written label itself is
shorter than the literal string "\N", not enough memory would have been
allocated to write "\N" into the label text.
Here we account for the possibility of error during label parsing, and assume
that the label text may need to be overwritten with "\N" after the fact. Fixes
issue #1700.
lib/common/shapes.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/common/shapes.c b/lib/common/shapes.c
index 0a0635fc3..9dca9ba6e 100644
--- a/lib/common/shapes.c
+++ b/lib/common/shapes.c
@@ -3546,9 +3546,10 @@ static void record_init(node_t * n)
reclblp = ND_label(n)->text;
len = strlen(reclblp);
/* For some forgotten reason, an empty label is parsed into a space, so
- * we need at least two bytes in textbuf.
+ * we need at least two bytes in textbuf, as well as accounting for the
+ * error path involving "\\N" below.
- len = MAX(len, 1);
+ len = MAX(MAX(len, 1), (int)strlen("\\N"));
textbuf = N_NEW(len + 1, char);
if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) {
agerr(AGERR, "bad label format %s\n", ND_label(n)->text);
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment