From: Mira Grudzinska <veleveta@gmail.com>
Date: Fri, 6 Jan 2023 23:04:31 +0000 (+0100)
Subject: svg_loader: fixing crash for to big buffer
X-Git-Tag: accepted/tizen/unified/20230317.081016~18^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=af5e394cdda8ba4f6ec3f7b1c93c3ebe13d235e1;p=platform%2Fcore%2Fgraphics%2Ftizenvg.git

svg_loader: fixing crash for to big buffer

Crash observed on macOS for the image-embeded-*.svg files.
Since the alloca function was used the stack allocation failure
could not be handled.

Change-Id: Ibc38ef8f8f407145e7490c221a24786b99ed2d04
---

diff --git a/src/loaders/svg/tvgXmlParser.cpp b/src/loaders/svg/tvgXmlParser.cpp
index 231badd..0e2c3fa 100644
--- a/src/loaders/svg/tvgXmlParser.cpp
+++ b/src/loaders/svg/tvgXmlParser.cpp
@@ -304,38 +304,38 @@ bool isIgnoreUnsupportedLogElements(TVG_UNUSED const char* tagName)
 bool simpleXmlParseAttributes(const char* buf, unsigned bufLength, simpleXMLAttributeCb func, const void* data)
 {
     const char *itr = buf, *itrEnd = buf + bufLength;
-    char* tmpBuf = (char*)alloca(bufLength + 1);
+    char* tmpBuf = (char*)malloc(bufLength + 1);
 
-    if (!buf || !func) return false;
+    if (!buf || !func || !tmpBuf) goto error;
 
     while (itr < itrEnd) {
         const char* p = _skipWhiteSpacesAndXmlEntities(itr, itrEnd);
         const char *key, *keyEnd, *value, *valueEnd;
         char* tval;
 
-        if (p == itrEnd) return true;
+        if (p == itrEnd) goto success;
 
         key = p;
         for (keyEnd = key; keyEnd < itrEnd; keyEnd++) {
             if ((*keyEnd == '=') || (isspace((unsigned char)*keyEnd))) break;
         }
-        if (keyEnd == itrEnd) return false;
+        if (keyEnd == itrEnd) goto error;
         if (keyEnd == key) continue;
 
         if (*keyEnd == '=') value = keyEnd + 1;
         else {
             value = (const char*)memchr(keyEnd, '=', itrEnd - keyEnd);
-            if (!value) return false;
+            if (!value) goto error;
             value++;
         }
         keyEnd = _simpleXmlUnskipXmlEntities(keyEnd, key);
 
         value = _skipWhiteSpacesAndXmlEntities(value, itrEnd);
-        if (value == itrEnd) return false;
+        if (value == itrEnd) goto error;
 
         if ((*value == '"') || (*value == '\'')) {
             valueEnd = (const char*)memchr(value + 1, *value, itrEnd - value);
-            if (!valueEnd) return false;
+            if (!valueEnd) goto error;
             value++;
         } else {
             valueEnd = _simpleXmlFindWhiteSpace(value, itrEnd);
@@ -364,7 +364,14 @@ bool simpleXmlParseAttributes(const char* buf, unsigned bufLength, simpleXMLAttr
             }
         }
     }
+
+success:
+    free(tmpBuf);
     return true;
+
+error:
+    free(tmpBuf);
+    return false;
 }