An array index error in the fig2dev program in Xfig 3.2.6a allows remote attackers to cause a denial-of-service attack with a maliciously crafted Fig format file, related to a negative font value in dev/gentikz.c, and the read_textobject functions in read.c and read1_3.c.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881143 (patch included)
Created xfig tracking bugs for this issue:
Affects: epel-7 [bug 1515696]
Affects: fedora-all [bug 1515697]