--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/000-7aaddf5-buffer-overflow.patch Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,51 @@
+From 7aaddf52cd98589fb0c3ab72a393f8411838438a Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <[email protected]>
+Date: Fri, 4 Oct 2013 09:06:39 -0400
+Subject: [PATCH] Fix buffer overflow problem when reporting a syntax error
+ with a very long input line
+
+---
+ lib/cgraph/scan.l | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 3cfde0f..2efd203 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -16,6 +16,7 @@
+ %{
+ #include <grammar.h>
+ #include <cghdr.h>
++#include <agxbuf.h>
+ #include <ctype.h>
+ #define GRAPH_EOF_TOKEN '@' /* lex class must be defined below */
+ /* this is a workaround for linux flex */
+@@ -191,13 +192,21 @@ ID ({NAME}|{NUMBER})
+ %%
+ void yyerror(char *str)
+ {
++ unsigned char xbuf[BUFSIZ];
+ char buf[BUFSIZ];
+- if (InputFile)
+- sprintf(buf,"%s:%d: %s in line %d near '%s'\n",InputFile, line_num,
+- str,line_num,yytext);
+- else
+- sprintf(buf," %s in line %d near '%s'\n", str,line_num,yytext);
+- agerr(AGWARN,buf);
++ agxbuf xb;
++
++ agxbinit(&xb, BUFSIZ, xbuf);
++ if (InputFile) {
++ agxbput (&xb, InputFile);
++ agxbput (&xb, ": ");
++ }
++ sprintf(buf," %s in line %d near '", str,line_num);
++ agxbput (&xb, buf);
++ agxbput (&xb, yytext);
++ agxbput (&xb,"'\n");
++ agerr(AGWARN,agxbuse(&xb));
++ agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
+ void aglexeof() { unput(GRAPH_EOF_TOKEN); }
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/001-d266bb2-buffer-overflow.patch Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,24 @@
+From d266bb2b4154d11c27252b56d86963aef4434750 Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <[email protected]>
+Date: Tue, 7 Jan 2014 10:45:36 -0500
+Subject: [PATCH] Prevent possible buffer overflow in yyerror()
+
+---
+ lib/cgraph/scan.l | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 3efe1d5..212967c 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -201,7 +201,8 @@ void yyerror(char *str)
+ agxbput (&xb, InputFile);
+ agxbput (&xb, ": ");
+ }
+- sprintf(buf," %s in line %d near '", str,line_num);
++ agxbput (&xb, str);
++ sprintf(buf," in line %d near '", line_num);
+ agxbput (&xb, buf);
+ agxbput (&xb, yytext);
+ agxbput (&xb,"'\n");
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/002-1d1bdec-buffer-overflow.patch Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,56 @@
+From 1d1bdec6318746f6f19f245db589eddc887ae8ff Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <[email protected]>
+Date: Wed, 8 Jan 2014 11:31:04 -0500
+Subject: [PATCH] Fix possible buffer overflow problem in chkNum of scanner.
+
+---
+ lib/cgraph/scan.l | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 212967c..d065b61 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -129,15 +129,32 @@ static void ppDirective (void)
+ * and report this to the user.
+ */
+ static int chkNum(void) {
+- unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
+- if (!isdigit(c) && (c != '.')) { /* c is letter */
+- char buf[BUFSIZ];
+- sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile);
+- strcat (buf, "splits into two name tokens\n");
+- agerr(AGWARN,buf);
+- return 1;
+- }
+- else return 0;
++ unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */
++ if (!isdigit(c) && (c != '.')) { /* c is letter */
++ unsigned char xbuf[BUFSIZ];
++ char buf[BUFSIZ];
++ agxbuf xb;
++ char* fname;
++
++ if (InputFile)
++ fname = InputFile;
++ else
++ fname = "input";
++
++ agxbinit(&xb, BUFSIZ, xbuf);
++
++ agxbput(&xb,"syntax ambiguity - badly delimited number '");
++ agxbput(&xb,yytext);
++ sprintf(buf,"' in line %d of ", line_num);
++ agxbput(&xb,buf);
++ agxbput(&xb,fname);
++ agxbput(&xb, " splits into two tokens\n");
++ agerr(AGWARN,agxbuse(&xb));
++
++ agxbfree(&xb);
++ return 1;
++ }
++ else return 0;
+ }
+
+ /* The LETTER class below consists of ascii letters, underscore, all non-ascii
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/003-99eda42-format-string.patch Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,34 @@
+This patch is taken from upstream and modified to adjust our currently
+released version.
+
+From 99eda421f7ddc27b14e4ac1d2126e5fe41719081 Mon Sep 17 00:00:00 2001
+From: "Emden R. Gansner" <[email protected]>
+Date: Mon, 24 Nov 2014 14:32:58 -0500
+Subject: [PATCH] Fix format string vulnerability in using agerr() to report
+ errors during parsing. We now use a fixed format %s, and pass the error
+ string as an argument.
+
+---
+ lib/cgraph/scan.l | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index 85a150a..a5872f4 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -225,6 +225,7 @@ ID ({NAME}|{NUMBER})
+ <hstring>([^><\n]*) addstr(yytext);
+ . return (yytext[0]);
+ %%
++
+ void yyerror(char *str)
+ {
+ unsigned char xbuf[BUFSIZ];
+@@ -273,7 +274,7 @@ void yyerror(char *str)
+ agxbput (&xb, yytext);
+ agxbput (&xb,"'\n");
+- agerr(AGWARN,agxbuse(&xb));
++ agerr(AGWARN, "%s", agxbuse(&xb));
+ agxbfree(&xb);
+ }
+ /* must be here to see flex's macro defns */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/004-495f781-format-string.patch Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,33 @@
+From 495f781f91dca1fb165bbaa6abc0ced1c09535c8 Mon Sep 17 00:00:00 2001
+From: Tomas Hoger <[email protected]>
+Date: Wed, 20 May 2015 11:15:32 +0200
+Subject: [PATCH] Fix agerr() format string issue in chkNum()
+
+Commit 99eda42 fixed agerr() format string issue in yyerror(), but the
+same fix is also needed for chkNum(). In chkNum(), format string can be
+injected at least via malicious file name:
+
+ $ cat fs4-%n%s%s%s%s%s%s.dot
+ graph G { a [ weight = 0g ] }
+
+ $ dot fs4-%n%s%s%s%s%s%s.dot
+ Warning: *** %n in writable segment detected ***
+ Aborted
+---
+ lib/cgraph/scan.l | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/cgraph/scan.l b/lib/cgraph/scan.l
+index a5872f4..6aef10b 100644
+--- a/lib/cgraph/scan.l
++++ b/lib/cgraph/scan.l
+@@ -165,7 +165,7 @@ static int chkNum(void) {
+ agxbput(&xb,buf);
+ agxbput(&xb,fname);
+ agxbput(&xb, " splits into two tokens\n");
+- agerr(AGWARN,agxbuse(&xb));
++ agerr(AGWARN, "%s", agxbuse(&xb));
+
+ agxbfree(&xb);
+ return 1;
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/graphviz/patches/005-10a1322-format-string.patch Wed Aug 03 15:33:19 2016 -0700
@@ -0,0 +1,56 @@
+From 10a132289ffe4ed9a398bebca13cb41c1006bd13 Mon Sep 17 00:00:00 2001
+From: Tomas Hoger <[email protected]>
+Date: Wed, 20 May 2015 11:22:11 +0200
+Subject: [PATCH 2/2] Additional agerr() format string fixes
+
+Similar to commit 99eda42, ensure the second argument to agerr() is
+fixed string with no user inputs. Change applied to:
+
+* cmd/tools/gmlscan.l - unclear if this can be exploited in practice, as
+ only yytext can possibly hold format string
+* lib/graph/lexer.c - format string can be injected via graph file
+ content. Note that libgraph is deprecated as of version 2.30.0, so
+ this fix is more relevant for older graphviz versions.
+---
+ cmd/tools/gmlscan.l | 2 +-
+ lib/graph/lexer.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/cmd/tools/gmlscan.l b/cmd/tools/gmlscan.l
+index ea8db0f..e83ca4f 100644
+--- a/cmd/tools/gmlscan.l
++++ b/cmd/tools/gmlscan.l
+@@ -127,7 +127,7 @@ void yyerror(char *str)
+ return;
+ errors = 1;
+ sprintf(buf," %s in line %d near '%s'\n", str,line_num,yytext);
+- agerr(AGWARN,buf);
++ agerr(AGWARN, "%s", buf);
+ }
+
+ int gmlerrors()
+diff --git a/lib/graph/lexer.c b/lib/graph/lexer.c
+index 05452c8..790563b 100644
+--- a/lib/graph/lexer.c
++++ b/lib/graph/lexer.c
+@@ -460,16 +460,16 @@ static void error_context(void)
+ if (buf < p) {
+ c = *p;
+ *p = '\0';
+- agerr(AGPREV, buf);
++ agerr(AGPREV, "%s", buf);
+ *p = c;
+ }
+ agerr(AGPREV, " >>> ");
+ c = *LexPtr;
+ *LexPtr = '\0';
+- agerr(AGPREV, p);
++ agerr(AGPREV, "%s", p);
+ *LexPtr = c;
+ agerr(AGPREV, " <<< ");
+- agerr(AGPREV, LexPtr);
++ agerr(AGPREV, "%s", LexPtr);
+ }
+
+ void agerror(char *msg)
+