From: JunsuChoi <jsuya.choi@samsung.com>
Date: Fri, 23 Oct 2020 02:55:07 +0000 (+0900)
Subject: svg_loader SvgLoader: Prevent memory overflow for tagName
X-Git-Tag: submit/tizen/20201108.215920~42
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=011bddda3048d8950a023f5f69907303f9f6bd4a;p=platform%2Fcore%2Fgraphics%2Ftizenvg.git

svg_loader SvgLoader: Prevent memory overflow for tagName

When copying tagName, if length of referenced string is longer
than general case, it is not used as tagName.

Change-Id: I205b4eb58f97a75bed43caafe55de8f56e6700d4
---

diff --git a/src/loaders/svg/tvgSvgLoader.cpp b/src/loaders/svg/tvgSvgLoader.cpp
index 35d2cfa..64d0ae6 100644
--- a/src/loaders/svg/tvgSvgLoader.cpp
+++ b/src/loaders/svg/tvgSvgLoader.cpp
@@ -2061,6 +2061,7 @@ static void _svgLoaderParserXmlOpen(SvgLoaderData* loader, const char* content,
         sz = attrs - content;
         attrsLength = length - sz;
         while ((sz > 0) && (isspace(content[sz - 1]))) sz--;
+        if ((unsigned int)sz > sizeof(tagName)) return;
         strncpy(tagName, content, sz);
         tagName[sz] = '\0';
     }
@@ -2375,6 +2376,7 @@ static bool _svgLoaderParserForValidCheckXmlOpen(SvgLoaderData* loader, const ch
         sz = attrs - content;
         attrsLength = length - sz;
         while ((sz > 0) && (isspace(content[sz - 1]))) sz--;
+        if ((unsigned int)sz > sizeof(tagName)) return false;
         strncpy(tagName, content, sz);
         tagName[sz] = '\0';
     }