loaders svg: ++safety

prevent buffer overflow just in case.

Change-Id: I58e079d00b4840437632716c3cdd0deea144c5c6

diff --git a/src/loaders/svg/tvgSvgLoader.cpp b/src/loaders/svg/tvgSvgLoader.cpp
index e16ba83ab52fdda4ccff0f25496ab5aa3314abe6..83e738c831f49dbb09959205971d33940d30d11e 100644 (file)
--- a/src/loaders/svg/tvgSvgLoader.cpp
+++ b/src/loaders/svg/tvgSvgLoader.cpp
@@ -504,13 +504,13 @@ static void _toColor(const char* str, uint8_t* r, uint8_t* g, uint8_t* b, string
 }
 
 
-static char* _parseNumbersArray(char* str, float* points, int* ptCount)
+static char* _parseNumbersArray(char* str, float* points, int* ptCount, int len)
 {
     int count = 0;
     char* end = nullptr;
 
     str = _skipSpace(str, nullptr);
-    while (isdigit(*str) || *str == '-' || *str == '+' || *str == '.') {
+    while ((count < len) && (isdigit(*str) || *str == '-' || *str == '+' || *str == '.')) {
         points[count++] = strtof(str, &end);
         str = end;
         str = _skipSpace(str, nullptr);
@@ -586,11 +586,13 @@ static void _matrixCompose(const Matrix* m1, const Matrix* m2, Matrix* dst)
  */
 static Matrix* _parseTransformationMatrix(const char* value)
 {
+    const int POINT_CNT = 8;
+
     auto matrix = (Matrix*)malloc(sizeof(Matrix));
     if (!matrix) return nullptr;
     *matrix = {1, 0, 0, 0, 1, 0, 0, 0, 1};
 
-    float points[8];
+    float points[POINT_CNT];
     int ptCount = 0;
     char* str = (char*)value;
     char* end = str + strlen(str);
@@ -616,7 +618,7 @@ static Matrix* _parseTransformationMatrix(const char* value)
         str = _skipSpace(str, end);
         if (*str != '(') goto error;
         ++str;
-        str = _parseNumbersArray(str, points, &ptCount);
+        str = _parseNumbersArray(str, points, &ptCount, POINT_CNT);
         if (*str != ')') goto error;
         ++str;