gnuplot: fix CVE-2025-31176

CVE-2025-31176:
A flaw was found in gnuplot. The plot3d_points() function may lead to a segmentation
fault and cause a system crash.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-31176]

Upstream patches:
[https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b456a3ef618f55a20b3071d336cb20514274f1d4/]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch

@@ -0,0 +1,86 @@
+From d0664704daa46d2e4440c0c50057d0dfa47467ea Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 11 Mar 2025 12:31:54 -0700
+Subject: [PATCH] guard against invalid read from plot->labels
+
+If a plot style uses points and the point chosen has PT_CHARACTER
+then the program looks for a possible font in plot->labels->font.
+These plot styles contain a flag bit HAS_POINT (gp_types.h).
+The program makes sure to initialize plot->labels for these styles.
+However a problem arises when a plot style that doesn't use points
+nevertheless triggers this same attempted font lookup by using a
+linetype that happens to use pointtype PT_CHARACTER.
+I think this is only possible with 'splot' but I added parallel
+checks for 'plot' as well.
+
+Bug 2776
+
+CVE: CVE-2025-31176
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b456a3ef618f55a20b3071d336cb20514274f1d4/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/boundary.c | 2 +-
+ src/graph3d.c  | 4 ++--
+ src/graphics.c | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/boundary.c b/src/boundary.c
+index fd2ac86f4..60dbce042 100644
+--- a/src/boundary.c
++++ b/src/boundary.c
+@@ -1440,7 +1440,7 @@ do_key_sample_point(
+ 	    (*t->pointsize)(pointsize);
+ 	if (on_page(xl + key_point_offset, yl)) {
+ 	    if (this_plot->lp_properties.p_type == PT_CHARACTER) {
+-		if (this_plot->labels->textcolor.type != TC_DEFAULT)
++		if (this_plot->labels && this_plot->labels->textcolor.type != TC_DEFAULT)
+ 		    apply_pm3dcolor(&(this_plot->labels->textcolor));
+ 		(*t->put_text) (xl + key_point_offset, yl, 
+ 				this_plot->lp_properties.p_char);
+diff --git a/src/graph3d.c b/src/graph3d.c
+index 0d3ca7221..48b02f580 100644
+--- a/src/graph3d.c
++++ b/src/graph3d.c
+@@ -2016,7 +2016,7 @@ plot3d_points(struct surface_points *plot)
+     /* Set whatever we can that applies to every point in the loop */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+ 	ignore_enhanced(TRUE);
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) (plot->labels->font);
+ 	(*t->justify_text) (CENTRE);
+     }
+@@ -2111,7 +2111,7 @@ plot3d_points(struct surface_points *plot)
+ 
+     /* Return to initial state */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) ("");
+ 	ignore_enhanced(FALSE);
+     }
+diff --git a/src/graphics.c b/src/graphics.c
+index bdbebe92a..2b500b12b 100644
+--- a/src/graphics.c
++++ b/src/graphics.c
+@@ -2353,7 +2353,7 @@ plot_points(struct curve_points *plot)
+     /* Set whatever we can that applies to every point in the loop */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+ 	ignore_enhanced(TRUE);
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) (plot->labels->font);
+ 	(*t->justify_text) (CENTRE);
+     }
+@@ -2475,7 +2475,7 @@ plot_points(struct curve_points *plot)
+ 
+     /* Return to initial state */
+     if (plot->lp_properties.p_type == PT_CHARACTER) {
+-	if (plot->labels->font && plot->labels->font[0])
++	if (plot->labels && plot->labels->font && plot->labels->font[0])
+ 	    (*t->set_font) ("");
+ 	ignore_enhanced(FALSE);
+     }
+-- 
+2.43.0
+

meta-oe/recipes-extended/gnuplot/gnuplot_5.4.3.bb

@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
            file://gnuplot.desktop \
            file://gnuplot.png \
            file://CVE-2025-3359.patch \
+           file://CVE-2025-31176.patch \
            "
 SRC_URI:append:class-target = " \
     file://0002-do-not-build-demos.patch \