From: Hermet Park Date: Tue, 20 Apr 2021 08:43:16 +0000 (+0900) Subject: loaders svg: ++safety X-Git-Tag: submit/tizen/20210420.110608~2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=84d7116108381768a193161fefd0f9506a41ac18;p=platform%2Fcore%2Fgraphics%2Ftizenvg.git loaders svg: ++safety prevent buffer overflow just in case. Change-Id: I58e079d00b4840437632716c3cdd0deea144c5c6 --- diff --git a/src/loaders/svg/tvgSvgLoader.cpp b/src/loaders/svg/tvgSvgLoader.cpp index e16ba83a..83e738c8 100644 --- a/src/loaders/svg/tvgSvgLoader.cpp +++ b/src/loaders/svg/tvgSvgLoader.cpp @@ -504,13 +504,13 @@ static void _toColor(const char* str, uint8_t* r, uint8_t* g, uint8_t* b, string } -static char* _parseNumbersArray(char* str, float* points, int* ptCount) +static char* _parseNumbersArray(char* str, float* points, int* ptCount, int len) { int count = 0; char* end = nullptr; str = _skipSpace(str, nullptr); - while (isdigit(*str) || *str == '-' || *str == '+' || *str == '.') { + while ((count < len) && (isdigit(*str) || *str == '-' || *str == '+' || *str == '.')) { points[count++] = strtof(str, &end); str = end; str = _skipSpace(str, nullptr); @@ -586,11 +586,13 @@ static void _matrixCompose(const Matrix* m1, const Matrix* m2, Matrix* dst) */ static Matrix* _parseTransformationMatrix(const char* value) { + const int POINT_CNT = 8; + auto matrix = (Matrix*)malloc(sizeof(Matrix)); if (!matrix) return nullptr; *matrix = {1, 0, 0, 0, 1, 0, 0, 0, 1}; - float points[8]; + float points[POINT_CNT]; int ptCount = 0; char* str = (char*)value; char* end = str + strlen(str); @@ -616,7 +618,7 @@ static Matrix* _parseTransformationMatrix(const char* value) str = _skipSpace(str, end); if (*str != '(') goto error; ++str; - str = _parseNumbersArray(str, points, &ptCount); + str = _parseNumbersArray(str, points, &ptCount, POINT_CNT); if (*str != ')') goto error; ++str;