From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Fri Jul 26 23:25:50 2019 +0200
Bug-Debian: https://bugs.debian.org/933075
Bug: https://sourceforge.net/p/mcj/tickets/52/
Origin: https://sourceforge.net/p/mcj/fig2dev/ci/03ea45
Subject: Allow circle arrowheads when mag >= 42, ticket #52
 Circle and half-circle arrowheads would be drawn with 40 + mag/4 points by
 calc_arrow() in bound.c. However, the point arrays passed to calc_arrow()
 would only contain 50 points. With a magnification >= 42, a buffer overrun
 would occur. Simply use 40 points, independent of magnification.
 .
 This fixes CVE-2019-14275

--- a/fig2dev/bound.c
+++ b/fig2dev/bound.c
@@ -905,7 +905,7 @@ calc_arrow(int x1, int y1, int x2, int y
 	    /*
 	     * CIRCLE and HALF-CIRCLE arrowheads
 	     *
-	     * We approximate circles with (40+zoom)/4 points
+	     * We approximate circles with 40 points
 	     */
 	    double	maxx;
 	    double	fix_x, fix_y, xs, ys;
@@ -936,8 +936,8 @@ calc_arrow(int x1, int y1, int x2, int y
 	    dy = my - ys;
 	    fix_x = xs + (dx / 2.0);
 	    fix_y = ys + (dy / 2.0);
-	    /* choose number of points for circle - 40+mag/4 points */
-	    *npoints = np = round(mag/4.0) + 40;
+	    /* choose number of points for circle */
+	    *npoints = np = 40;
 
 	    if (type == 5) {
 		/* full circle */