new file mode 100644
@@ -0,0 +1,86 @@
+From d0664704daa46d2e4440c0c50057d0dfa47467ea Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Tue, 11 Mar 2025 12:31:54 -0700
+Subject: [PATCH] guard against invalid read from plot->labels
+
+If a plot style uses points and the point chosen has PT_CHARACTER
+then the program looks for a possible font in plot->labels->font.
+These plot styles contain a flag bit HAS_POINT (gp_types.h).
+The program makes sure to initialize plot->labels for these styles.
+However a problem arises when a plot style that doesn't use points
+nevertheless triggers this same attempted font lookup by using a
+linetype that happens to use pointtype PT_CHARACTER.
+I think this is only possible with 'splot' but I added parallel
+checks for 'plot' as well.
+
+Bug 2776
+
+CVE: CVE-2025-31176
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/b456a3ef618f55a20b3071d336cb20514274f1d4/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/boundary.c | 2 +-
+ src/graph3d.c | 4 ++--
+ src/graphics.c | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/boundary.c b/src/boundary.c
+index fd2ac86f4..60dbce042 100644
+--- a/src/boundary.c
++++ b/src/boundary.c
+@@ -1440,7 +1440,7 @@ do_key_sample_point(
+ (*t->pointsize)(pointsize);
+ if (on_page(xl + key_point_offset, yl)) {
+ if (this_plot->lp_properties.p_type == PT_CHARACTER) {
+- if (this_plot->labels->textcolor.type != TC_DEFAULT)
++ if (this_plot->labels && this_plot->labels->textcolor.type != TC_DEFAULT)
+ apply_pm3dcolor(&(this_plot->labels->textcolor));
+ (*t->put_text) (xl + key_point_offset, yl,
+ this_plot->lp_properties.p_char);
+diff --git a/src/graph3d.c b/src/graph3d.c
+index 0d3ca7221..48b02f580 100644
+--- a/src/graph3d.c
++++ b/src/graph3d.c
+@@ -2016,7 +2016,7 @@ plot3d_points(struct surface_points *plot)
+ /* Set whatever we can that applies to every point in the loop */
+ if (plot->lp_properties.p_type == PT_CHARACTER) {
+ ignore_enhanced(TRUE);
+- if (plot->labels->font && plot->labels->font[0])
++ if (plot->labels && plot->labels->font && plot->labels->font[0])
+ (*t->set_font) (plot->labels->font);
+ (*t->justify_text) (CENTRE);
+ }
+@@ -2111,7 +2111,7 @@ plot3d_points(struct surface_points *plot)
+
+ /* Return to initial state */
+ if (plot->lp_properties.p_type == PT_CHARACTER) {
+- if (plot->labels->font && plot->labels->font[0])
++ if (plot->labels && plot->labels->font && plot->labels->font[0])
+ (*t->set_font) ("");
+ ignore_enhanced(FALSE);
+ }
+diff --git a/src/graphics.c b/src/graphics.c
+index bdbebe92a..2b500b12b 100644
+--- a/src/graphics.c
++++ b/src/graphics.c
+@@ -2353,7 +2353,7 @@ plot_points(struct curve_points *plot)
+ /* Set whatever we can that applies to every point in the loop */
+ if (plot->lp_properties.p_type == PT_CHARACTER) {
+ ignore_enhanced(TRUE);
+- if (plot->labels->font && plot->labels->font[0])
++ if (plot->labels && plot->labels->font && plot->labels->font[0])
+ (*t->set_font) (plot->labels->font);
+ (*t->justify_text) (CENTRE);
+ }
+@@ -2475,7 +2475,7 @@ plot_points(struct curve_points *plot)
+
+ /* Return to initial state */
+ if (plot->lp_properties.p_type == PT_CHARACTER) {
+- if (plot->labels->font && plot->labels->font[0])
++ if (plot->labels && plot->labels->font && plot->labels->font[0])
+ (*t->set_font) ("");
+ ignore_enhanced(FALSE);
+ }
+--
+2.43.0
+
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
file://gnuplot.desktop \
file://gnuplot.png \
file://CVE-2025-3359.patch \
+ file://CVE-2025-31176.patch \
"
SRC_URI:append:class-target = " \
file://0002-do-not-build-demos.patch \