new file mode 100644
@@ -0,0 +1,40 @@
+From 36a4355010a81a78cf9df03d3c76dcd599ed994b Mon Sep 17 00:00:00 2001
+From: Ethan A Merritt <merritt@u.washington.edu>
+Date: Wed, 15 Jan 2025 11:56:13 -0800
+Subject: [PATCH] dumb: more stringent tests against y bound of dumb terminal
+ charcell array
+
+Bug 2756
+
+CVE: CVE-2025-31177
+Upstream-Status: Backport [https://sourceforge.net/p/gnuplot/gnuplot-main/ci/226809aebb345e74d371bb43a2b434b490be527a/]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ term/dumb.trm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/term/dumb.trm b/term/dumb.trm
+index c93afb94e..bb22ca25f 100644
+--- a/term/dumb.trm
++++ b/term/dumb.trm
+@@ -637,7 +637,7 @@ DUMB_put_text(unsigned int x, unsigned int y, const char *str)
+ {
+ int i, length;
+
+- if (y > dumb_ymax)
++ if (y < 0 || y > dumb_ymax)
+ return;
+
+ length = gp_strlen(str);
+@@ -784,7 +784,7 @@ ENHdumb_FLUSH()
+ y += i;
+
+ /* print the string fragment, perhaps invisibly */
+- if (ENHdumb_show && y < dumb_ymax) {
++ if (ENHdumb_show && (0 <= y && y < dumb_ymax)) {
+ #ifdef DUMB_UTF8
+ for (i = 0; i < len && x < dumb_xmax; i++, x++) {
+ utf8_copy_one( (char *)(&DUMB_PIXEL(x, y)), gp_strchrn(str,i));
+--
+2.43.0
+
@@ -17,6 +17,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/${PV}/${BP}.tar.gz;name=a
file://gnuplot.png \
file://CVE-2025-3359.patch \
file://CVE-2025-31176.patch \
+ file://CVE-2025-31177.patch \
"
SRC_URI:append:class-target = " \
file://0002-do-not-build-demos.patch \