diff --git a/CVE-2025-46397.patch b/CVE-2025-46397.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ac1ff58b55145e63ba86d39610859344b76b8f0e
--- /dev/null
+++ b/CVE-2025-46397.patch
@@ -0,0 +1,49 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/192/
+https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b661b506a463a669754ed635b0a8eb67580e/
+
+--- a/fig2dev/read.c	2025-04-29 13:52:18.589400762 +0800
++++ b/fig2dev/read.c	2025-04-29 13:55:48.807400762 +0800
+@@ -1539,9 +1539,11 @@
+ 			free_splinestorage(s);
+ 			return NULL;
+ 		}
+-		if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN ||
+-				ly > INT_MAX || rx < INT_MIN || rx > INT_MAX ||
+-				ry < INT_MIN || ry > INT_MAX) {
++		if (		!isfinite(lx) || lx < INT_MIN || lx > INT_MAX ||
++				!isfinite(ly) || ly < INT_MIN || ly > INT_MAX ||
++				!isfinite(rx) || rx < INT_MIN || rx > INT_MAX ||
++				!isfinite(ry) || ry < INT_MIN || ry > INT_MAX)
++		{
+ 			/* do not care to clean up, we exit anyway
+ 			   cp->next = NULL;
+ 			   free_splinestorage(s);	*/
+--- a/fig2dev/tests/read.at     2025-04-29 14:02:20.618400762 +0800
++++ b/fig2dev/tests/read.at     2025-04-29 14:03:13.226400762 +0800
+@@ -595,6 +595,25 @@
+ ])
+ AT_CLEANUP
+
++AT_SETUP([reject nan in spline controls values, #192])
++AT_KEYWORDS([read.c])
++# Use an output language that does not natively support Bezier splines.
++# Otherwise, the huge values are simply copied to the output.
++AT_CHECK([fig2dev -L epic <<EOF
++#FIG 3.1
++Landscape
++Center
++Metric
++1200 2
++3 2 0 1 0 7 50 -1 -1 0.0 0 0 0 2
++        0 0 1200 0
++        600 600 600 nan
++        600 600 600 600
++EOF
++], 1, ignore, [Spline control points out of range at line 8.
++])
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+
+ AT_SETUP([prepend fig file path to picture file name])
diff --git a/CVE-2025-46398.patch b/CVE-2025-46398.patch
new file mode 100644
index 0000000000000000000000000000000000000000..418b5da1a37266c249d30e9f0db40d610339159c
--- /dev/null
+++ b/CVE-2025-46398.patch
@@ -0,0 +1,25 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/191/
+https://sourceforge.net/p/mcj/fig2dev/ci/5f22009dba73922e98d49c0096cece8b215cd45b/
+
+--- a/fig2dev/read.c
++++ b/fig2dev/read.c
+@@ -190,7 +190,8 @@
+ 	}
+ 
+ 	/* check for embedded '\0' */
+-	if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
++	if (*buf == '\0' || (strlen(buf) < sizeof buf - 1 &&
++			buf[strlen(buf) - 1] != '\n')) {
+ 		put_msg("ASCII NUL ('\\0') character within the first line.");
+ 		exit(EXIT_FAILURE);
+ 	/* seek to the end of the first line
+@@ -239,7 +240,7 @@
+ 		   the encoding given in the file */
+ 		if (!input_encoding && !strcmp(buf, "encoding: UTF-8\n")) {
+ 			input_encoding = "UTF-8";
+-		} else if (buf[strlen(buf) - 1] != '\n') {
++		} else if (*buf == '\0' || buf[strlen(buf) - 1] != '\n') {
+ 			/* seek forward to the end of the line;
+ 			   comments here are not mentioned by the
+ 			   specification, thus ignore this comment */
diff --git a/CVE-2025-46399.patch b/CVE-2025-46399.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e8ac9d2711d53bb4495ffb4a89cd10ad1a2f2ad5
--- /dev/null
+++ b/CVE-2025-46399.patch
@@ -0,0 +1,23 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/190/
+https://sourceforge.net/p/mcj/fig2dev/ci/2bd6c0b210916d0d3ca81f304535b5af0849aa93/
+
+--- a/fig2dev/dev/genge.c	2025-04-29 14:04:55.185400762 +0800
++++ b/fig2dev/dev/genge.c	2025-04-29 14:06:40.765400762 +0800
+@@ -229,8 +229,6 @@
+ 	int		 xmin, ymin;
+ 
+ 	a = s->controls;
+-
+-	a = s->controls;
+ 	p = s->points;
+ 	/* go through the points to find the last two */
+ 	for (q = p->next; q != NULL; p = q, q = q->next) {
+@@ -238,6 +236,7 @@
+ 	    a = b;
+ 	}
+ 
++	a = s->controls;
+ 	p = s->points;
+ 	fprintf(tfp, "n %d %d m\n", p->x, p->y);
+ 	xmin = 999999;
diff --git a/CVE-2025-46400-1.patch b/CVE-2025-46400-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1e15a5a1c7f2b142210171d51768826427c0ef9f
--- /dev/null
+++ b/CVE-2025-46400-1.patch
@@ -0,0 +1,48 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/187/
+https://sourceforge.net/p/mcj/fig2dev/ci/1e5515a1ea2ec8651cf85ab5000d026bb962492a/
+
+--- a/fig2dev/dev/genpict2e.c
++++ b/fig2dev/dev/genpict2e.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2023 by Thomas Loimer
++ * Parts Copyright (c) 2015-2025 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -19,7 +19,7 @@
+ /*
+  * genpict2e.c: convert fig to pict2e macro language for LaTeX
+  *
+- * Author: Thomas Loimer, 2014-2023
++ * Author: Thomas Loimer, 2014-2025
+  * Based on the latex picture driver, genlatex.c
+  *
+  */
+@@ -2277,8 +2277,13 @@
+ 	l->join_style = MITERJOIN;
+ 
+ 	p = l->points;
+-	if (p == NULL)
++	for (i = 0; i < 8 && p != NULL; ++i)
++		p = p->next;
++	/* If the radius is about 1, the spline may consist of
++	   a few points only. */
++	if (i < 7)
+ 		return;
++	p = l->points;
+ 
+ 	/*
+ 	 * Walk along the spline, until the arc angle is covered.
+@@ -2428,7 +2433,7 @@
+ 	rad = 0.5*(sqrt((double)d1x*d1x + (double)d1y*d1y)
+ 			+ sqrt((double)d2x*d2x + (double)d2y*d2y));
+ 	rad = round(rad*10.0) / 10.0;
+-	/* how precise must the angle be given? 
++	/* how precise must the angle be given?
+ 	   1/rad is the view angle of one pixel */
+ 	da = 180.0 / M_PI / rad;
+ 	preca = 0;
diff --git a/CVE-2025-46400-2.patch b/CVE-2025-46400-2.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bf6403be132f0a93f5f2ecf5c97466ac737a0ac7
--- /dev/null
+++ b/CVE-2025-46400-2.patch
@@ -0,0 +1,110 @@
+Origin:
+https://sourceforge.net/p/mcj/tickets/187/
+https://sourceforge.net/p/mcj/fig2dev/ci/c4465e0d9af89d9738aad31c2d0873ac1fa03c96/
+
+--- a/fig2dev/dev/genpict2e.c
++++ b/fig2dev/dev/genpict2e.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2025 by Thomas Loimer
++ * Parts Copyright (c) 2015-2023 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -19,7 +19,7 @@
+ /*
+  * genpict2e.c: convert fig to pict2e macro language for LaTeX
+  *
+- * Author: Thomas Loimer, 2014-2025
++ * Author: Thomas Loimer, 2014-2023
+  * Based on the latex picture driver, genlatex.c
+  *
+  */
+@@ -2277,13 +2277,8 @@
+ 	l->join_style = MITERJOIN;
+ 
+ 	p = l->points;
+-	for (i = 0; i < 8 && p != NULL; ++i)
+-		p = p->next;
+-	/* If the radius is about 1, the spline may consist of
+-	   a few points only. */
+-	if (i < 7)
++	if (p == NULL)
+ 		return;
+-	p = l->points;
+ 
+ 	/*
+ 	 * Walk along the spline, until the arc angle is covered.
+@@ -2433,7 +2428,7 @@
+ 	rad = 0.5*(sqrt((double)d1x*d1x + (double)d1y*d1y)
+ 			+ sqrt((double)d2x*d2x + (double)d2y*d2y));
+ 	rad = round(rad*10.0) / 10.0;
+-	/* how precise must the angle be given?
++	/* how precise must the angle be given? 
+ 	   1/rad is the view angle of one pixel */
+ 	da = 180.0 / M_PI / rad;
+ 	preca = 0;
+--- a/fig2dev/object.h
++++ b/fig2dev/object.h
+@@ -92,11 +92,14 @@
+ 	struct f_ellipse	*next;
+ } F_ellipse;
+ 
++#define RADIUS2_MIN	9
+ #define INVALID_ELLIPSE(e)						\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+ 	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) ||  \
+ 	e->radiuses.x == 0 || e->radiuses.y == 0 ||			\
++	e->radiuses.x + e->radiuses.y < RADIUS2_MIN ||			\
+ 	e->angle < -7. || e->angle > 7.
++	/* radiuses are set to positive in read.c */
+ 
+ typedef struct f_arc {
+ 	int			type;
+@@ -135,7 +138,10 @@
+ 	(a->direction != 0 && a->direction != 1) ||			\
+ 	COINCIDENT(a->point[0], a->point[1]) ||				\
+ 	COINCIDENT(a->point[0], a->point[2]) ||				\
+-	COINCIDENT(a->point[1], a->point[2])
++	COINCIDENT(a->point[1], a->point[2]) ||				\
++	(a->point[0].x - a->center.x) * (a->point[0].x - a->center.x) +	\
++	(a->point[0].y - a->center.y) * (a->point[0].y - a->center.y) <	\
++	RADIUS2_MIN
+ 
+ typedef struct f_line {
+ 	int			type;
+--- a/fig2dev/read1_3.c
++++ b/fig2dev/read1_3.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2022 by Thomas Loimer
++ * Parts Copyright (c) 2015-2025 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -156,8 +156,10 @@
+ 	a->pen_color = a->fill_color = BLACK_COLOR;
+ 	a->depth = 0;
+ 	a->pen = 0;
++	a->fill_style = 0;
+ 	a->for_arrow = NULL;
+ 	a->back_arrow = NULL;
++	a->cap_style = 0;
+ 	a->comments = NULL;
+ 	a->next = NULL;
+ 	n = fscanf(fp,
+@@ -328,6 +330,10 @@
+ 		e->type = T_CIRCLE_BY_RAD;
+ 	else
+ 		e->type = T_CIRCLE_BY_DIA;
++	if (e->radiuses.x < 0)
++		e->radiuses.x *= -1;
++	if (e->radiuses.y < 0)
++		e->radiuses.y *= -1;
+ 	if (INVALID_ELLIPSE(e)) {
+ 		put_msg(Err_invalid, "ellipse");
+ 		free(e);
diff --git a/transfig.spec b/transfig.spec
index 255c2af26ef0112b49238dcf102925f69cc864e9..77d5bab539ead4d331c60c9eb3118890db215f6f 100644
--- a/transfig.spec
+++ b/transfig.spec
@@ -1,7 +1,7 @@
 Name:		transfig
 Summary:	Utility for converting FIG files (made by xfig) to other formats
 Version:	3.2.9
-Release:	2
+Release:	3
 Epoch:		1
 License:	MIT
 URL:		https://sourceforge.net/projects/mcj/
@@ -11,6 +11,11 @@ Source0:	http://downloads.sourceforge.net/mcj/fig2dev-%{version}.tar.xz
 Patch0: 	CVE-2025-31162.patch
 Patch1: 	CVE-2025-31163.patch
 Patch2: 	CVE-2025-31164.patch
+Patch3: 	CVE-2025-46397.patch
+Patch4: 	CVE-2025-46398.patch
+Patch5: 	CVE-2025-46399.patch
+Patch6: 	CVE-2025-46400-1.patch
+Patch7: 	CVE-2025-46400-2.patch
 
 Requires:	netpbm-progs ghostscript bc
 
@@ -49,6 +54,9 @@ figures into certain graphics languages.
 %{_mandir}/man1/*.1.gz
 
 %changelog
+* Tue Apr 29 2025 yaoxin <1024769339@qq.com> - 1:3.2.9-3
+- Fix CVE-2025-46397,CVE-2025-46398,CVE-2025-46399 and CVE-2025-46400
+
 * Tue Apr 01 2025 yaoxin <1024769339@qq.com> - 1:3.2.9-2
 - Fix CVE-2025-31162,CVE-2025-31163 and CVE-2025-31164