diff --git a/CVE-2025-46397.patch b/CVE-2025-46397.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2d58cc76e3adb9737875b63a09c620c590702dd1
--- /dev/null
+++ b/CVE-2025-46397.patch
@@ -0,0 +1,52 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Thu, 10 Apr 2025 09:03:30 +0200
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b66
+Bug: https://sourceforge.net/p/mcj/tickets/192/
+Forwarded: not-needed
+Subject: Detect nan in spline control values, ticket #192
+ Fixes CVE-2025-46397
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -1469,8 +1469,11 @@ read_splineobject(FILE *fp, char **restr
+ 		free_splinestorage(s);
+ 		return NULL;
+ 	    }
+-	    if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX ||
+-		rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) {
++	    if (	!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
++			!isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
++			!isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
++			!isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
++	    {
+ 		    /* do not care to clean up, we exit anyway
+ 		       cp->next = NULL;
+ 		       free_splinestorage(s);	*/
+--- a/fig2dev/tests/read.at
++++ b/fig2dev/tests/read.at
+@@ -581,6 +581,25 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([reject nan in spline controls values, #192])
++AT_KEYWORDS([read.c])
++# Use an output language that does not natively support Bezier splines.
++# Otherwise, the huge values are simply copied to the output.
++AT_CHECK([fig2dev -L epic <<EOF
++#FIG 3.1
++Landscape
++Center
++Metric
++1200 2
++3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2
++	 0 0 1200 0
++	 600 600 600 nan
++	 600 600 600 600
++EOF
++], 1, ignore, [Spline control points out of range at line 8.
++])
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])
diff --git a/CVE-2025-46398.patch b/CVE-2025-46398.patch
new file mode 100644
index 0000000000000000000000000000000000000000..63db4d4a3fdf2a51e80f28915c5f52c77cd91210
--- /dev/null
+++ b/CVE-2025-46398.patch
@@ -0,0 +1,20 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 8 Apr 2025 21:34:23 +0200
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/5f22009
+Bug: https://sourceforge.net/p/mcj/tickets/191/
+Forwarded: not-needed
+Subject: Permit \0 in the second line in the fig file, #191
+ Fix CVE-2025-46398
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -181,7 +181,8 @@ read_objects(FILE *fp, F_compound *obj)
+ 	}
+ 
+ 	/* check for embedded '\0' */
+-	if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
++	if (*buf == '\0' || (strlen(buf) < sizeof buf - 1 &&
++			buf[strlen(buf) - 1] != '\n')) {
+ 		put_msg("ASCII NUL ('\\0') character within the first line.");
+ 		exit(EXIT_FAILURE);
+ 	/* seek to the end of the first line
diff --git a/CVE-2025-46399.patch b/CVE-2025-46399.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e806ec55367f453713da9d2a34313f11085e7a29
--- /dev/null
+++ b/CVE-2025-46399.patch
@@ -0,0 +1,27 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 8 Apr 2025 22:45:57 +0200
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/2bd6c0b
+Bug: https://sourceforge.net/p/mcj/tickets/190/
+Forwarded: not-needed
+Subject: ge output: correct spline computation, ticket #190
+ Fix CVE-2025-46399
+
+--- a/fig2dev/dev/genge.c
++++ b/fig2dev/dev/genge.c
+@@ -229,8 +229,6 @@ genge_itp_spline(F_spline *s)
+ 	int		 xmin, ymin;
+ 
+ 	a = s->controls;
+-
+-	a = s->controls;
+ 	p = s->points;
+ 	/* go through the points to find the last two */
+ 	for (q = p->next; q != NULL; p = q, q = q->next) {
+@@ -238,6 +236,7 @@ genge_itp_spline(F_spline *s)
+ 	    a = b;
+ 	}
+ 
++	a = s->controls;
+ 	p = s->points;
+ 	fprintf(tfp, "n %d %d m\n", p->x, p->y);
+ 	xmin = 999999;
diff --git a/CVE-2025-46400.patch b/CVE-2025-46400.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a9075e8ad4c1e69c877bf441567f755d9468353c
--- /dev/null
+++ b/CVE-2025-46400.patch
@@ -0,0 +1,64 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat, 25 Jan 2025 21:06:59 +0100
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/c4465e0
+Bug: https://sourceforge.net/p/mcj/tickets/187/
+Forwarded: not-needed
+Subject: Reject arcs with a radius smaller than 3, #187
+ An arc with too small radius caused a crash in pict2e output.  Instead
+ of dealing with such arcs in the pict2e driver, reject them already
+ when reading.
+ Fixes CVE-2025-46400
+
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -92,11 +92,14 @@ typedef struct f_ellipse {
+ 	struct f_ellipse	*next;
+ } F_ellipse;
+ 
++#define RADIUS2_MIN	9
+ #define INVALID_ELLIPSE(e)						\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+ 	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) ||  \
+ 	e->radiuses.x == 0 || e->radiuses.y == 0 ||			\
++	e->radiuses.x + e->radiuses.y < RADIUS2_MIN ||			\
+ 	e->angle < -7. || e->angle > 7.
++	/* radiuses are set to positive in read.c */
+ 
+ typedef struct f_arc {
+ 	int			type;
+@@ -131,7 +134,10 @@ typedef struct f_arc {
+ 	(a->direction != 0 && a->direction != 1) ||			\
+ 	COINCIDENT(a->point[0], a->point[1]) ||				\
+ 	COINCIDENT(a->point[0], a->point[2]) ||				\
+-	COINCIDENT(a->point[1], a->point[2])
++	COINCIDENT(a->point[1], a->point[2]) ||				\
++	(a->point[0].x - a->center.x) * (a->point[0].x - a->center.x) +	\
++	(a->point[0].y - a->center.y) * (a->point[0].y - a->center.y) <	\
++	RADIUS2_MIN
+ 
+ typedef struct f_line {
+ 	int			type;
+--- a/fig2dev/read1_3.c
++++ b/fig2dev/read1_3.c
+@@ -157,8 +157,10 @@ read_arcobject(FILE *fp)
+ 	a->pen_color = a->fill_color = BLACK_COLOR;
+ 	a->depth = 0;
+ 	a->pen = 0;
++	a->fill_style = 0;
+ 	a->for_arrow = NULL;
+ 	a->back_arrow = NULL;
++	a->cap_style = 0;
+ 	a->comments = NULL;
+ 	a->next = NULL;
+ 	n = fscanf(fp,
+@@ -329,6 +331,10 @@ read_ellipseobject(FILE *fp)
+ 		e->type = T_CIRCLE_BY_RAD;
+ 	else
+ 		e->type = T_CIRCLE_BY_DIA;
++	if (e->radiuses.x < 0)
++		e->radiuses.x *= -1;
++	if (e->radiuses.y < 0)
++		e->radiuses.y *= -1;
+ 	if (INVALID_ELLIPSE(e)) {
+ 		put_msg(Err_invalid, "ellipse");
+ 		free(e);
diff --git a/Sanitize-arc-objects.patch b/Sanitize-arc-objects.patch
new file mode 100644
index 0000000000000000000000000000000000000000..03bc2a82590d897da795efb5ce85ec313b6fada5
--- /dev/null
+++ b/Sanitize-arc-objects.patch
@@ -0,0 +1,115 @@
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Thu, 11 Aug 2022 16:16:41 +0200
+Origin: upstream, https://sourceforge.net/p/mcj/fig2dev/ci/c01c4d6
+Subject: Sanitize arc objects
+ Make sure, that the radius of an arc is larger than one Fig unit. Also, let
+ the distance between the center and the last point on the arc be equal to the
+ distance between the center and the first point on the arc.
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2021 by Thomas Loimer
++ * Parts Copyright (c) 2015-2022 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -22,6 +22,7 @@
+ 
+ #include <ctype.h>
+ #include <limits.h>
++#include <math.h>	/* sqrt() */
+ #include <stddef.h>	/* ptrdiff_t */
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -32,7 +33,6 @@
+ #include <sys/stat.h>
+ 
+ #include "fig2dev.h"	/* includes bool.h and object.h */
+-//#include "object.h"
+ #include "alloc.h"
+ #include "free.h"
+ #include "messages.h"
+@@ -592,6 +592,50 @@ note_fill(int fill, int *color, int line
+ 	}
+ }
+ 
++/*
++ * An arc is given by its center, the endpoints, and a direction.
++ * Check, whether the distance from the last point to the center is equal to the
++ * distance between the first point and the center. If not, move the last point
++ * along the line connecting it to the center.
++ * Return 0 on success, -1 if the last point co-incides with the center point.
++ */
++static int
++sanitize_arc(F_arc *a, int line_no)
++{
++	double r, l;
++
++	if (a->point[0].x-1. <  a->center.x && a->point[0].x+1. > a->center.x &&
++			a->point[0].y-1. <  a->center.y &&
++			a->point[0].y+1. > a->center.y) {
++		put_msg("Invalid arc object at line %d: arc radius smaller "
++				"than one Fig unit.", line_no);
++		return -1;
++	}
++	if (a->point[2].x == round(a->center.x) &&
++			a->point[2].y == round(a->center.y)) {
++		put_msg("Invalid arc object at line %d: the end point "
++				"co-incides with the center of the arc.",
++				line_no);
++		return -1;
++	}
++
++#define	LENGTH(DX, DY)	sqrt((DX)*(DX) + (DY)*(DY))
++	r = LENGTH(a->point[0].x - a->center.x, a->point[0].y - a->center.y);
++	l = LENGTH(a->point[2].x - a->center.x, a->point[2].y - a->center.y);
++#undef	LENGTH
++
++	/* Due to rounding, the lengths may be off by a maximum of half the
++	 * diagonal of a square, sqrt(2)/2.	*/
++	if (l < r - 1.0 || l > r + 1.0) {
++		double	fac = r / l;
++		a->point[2].x = round(a->center.x + fac *
++					(a->point[2].x - a->center.x));
++		a->point[2].y = round(a->center.y + fac *
++					(a->point[2].y - a->center.y));
++	}
++	return 0;
++}
++
+ static F_arc *
+ read_arcobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
+ {
+@@ -643,6 +687,8 @@ read_arcobject(FILE *fp, char **restrict
+ 		free(a);
+ 		return NULL;
+ 	}
++	if (sanitize_arc(a, *line_no))
++		return NULL;
+ 	fix_and_note_color(&a->pen_color, *line_no);
+ 	note_fill(a->fill_style, &a->fill_color, *line_no);
+ 	if (fa) {
+--- a/fig2dev/tests/output.at
++++ b/fig2dev/tests/output.at
+@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to vario
+ dnl Copyright (c) 1991 by Micah Beck
+ dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ dnl Parts Copyright (c) 1989-2015 by Brian V. Smith
+-dnl Parts Copyright (c) 2015-2021 by Thomas Loimer
++dnl Parts Copyright (c) 2015-2022 by Thomas Loimer
+ dnl
+ dnl Any party obtaining a copy of these files is granted, free of charge, a
+ dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -266,7 +266,7 @@ AT_SETUP([omit arrows without points, ti
+ AT_KEYWORDS(svg arrow)
+ AT_CHECK([fig2dev -L svg <<EOF
+ FIG_FILE_TOP
+-5 1 0 1 7 7 44 -1 6 0.000 0 1 1 1 50 -1 -1500 200 -1 7 50 -1  900 750 975
++5 1 0 1 7 7 44 -1 6 0.0 0 1 1 1 50 -1 -1500 200 -1 7 500 200
+ 	0 0 1.00 45.00 90.00
+ 	5 0 1.003 1426 1068 1426
+ EOF], 0, ignore)
diff --git a/transfig.spec b/transfig.spec
index ab1ad1bfb35aa8b4aa3313abdd09f89926d8508b..df92d8eab159172204652e58d9f277b934cfae85 100644
--- a/transfig.spec
+++ b/transfig.spec
@@ -1,7 +1,7 @@
 Name:		transfig
 Summary:	Utility for converting FIG files (made by xfig) to other formats
 Version:	3.2.8b
-Release:	3
+Release:	4
 Epoch:		1
 License:	MIT
 URL:		https://sourceforge.net/projects/mcj/
@@ -11,6 +11,12 @@ Source0:	http://downloads.sourceforge.net/mcj/fig2dev-%{version}.tar.xz
 Patch0: 	CVE-2025-31162.patch
 Patch1: 	CVE-2025-31163.patch
 Patch2: 	CVE-2025-31164.patch
+# https://github.com/DHMike57/fig2dev/commit/c01c4d694e278da7f66fe2f15076155221e2b6f8
+Patch3: 	Sanitize-arc-objects.patch
+Patch4: 	CVE-2025-46397.patch
+Patch5: 	CVE-2025-46398.patch
+Patch6: 	CVE-2025-46399.patch
+Patch7: 	CVE-2025-46400.patch
 
 Requires:	netpbm-progs ghostscript bc
 
@@ -49,6 +55,9 @@ figures into certain graphics languages.
 %{_mandir}/man1/*.1.gz
 
 %changelog
+* Wed Jul 30 2025 yaoxin <1024769339@qq.com> - 1:3.2.8b-4
+- Fix CVE-2025-46397,CVE-2025-46398,CVE-2025-46399 and CVE-2025-46400
+
 * Tue Apr 01 2025 caodongxia <caodongxia@h-partners.com> - 1:3.2.8b-3
 - Fix CVE-2025-31162,CVE-2025-31163 and CVE-2025-31164