From 854364c5a6e96bacf254ad5cb0757804fc4a7b04 Mon Sep 17 00:00:00 2001
From: Michal Maciola <m.maciola@samsung.com>
Date: Wed, 22 Sep 2021 09:48:54 +0200
Subject: [PATCH] svg_loader: fix potential mem corruption in _idFromUrl
 function

This patch fixes some potential memory corruptions in _idFromUrl function
when name (url) is longer than 50 chars or is incorrectly terminated.
---
 src/loaders/svg/tvgSvgLoader.cpp | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/src/loaders/svg/tvgSvgLoader.cpp b/src/loaders/svg/tvgSvgLoader.cpp
index 7bae99d..804650c 100644
--- a/src/loaders/svg/tvgSvgLoader.cpp
+++ b/src/loaders/svg/tvgSvgLoader.cpp
@@ -272,24 +272,19 @@ _parseDashArray(SvgLoaderData* loader, const char *str, SvgDash* dash)
 
 static string* _idFromUrl(const char* url)
 {
-    char tmp[50];
-    int i = 0;
-
     url = _skipSpace(url, nullptr);
     if ((*url) == '(') {
         ++url;
         url = _skipSpace(url, nullptr);
     }
 
+    if ((*url) == '\'') ++url;
     if ((*url) == '#') ++url;
 
-    while ((*url) != ')') {
-        tmp[i++] = *url;
-        ++url;
-    }
-    tmp[i] = '\0';
+    int i = 0;
+    while (url[i] > ' ' && url[i] != ')' && url[i] != '\'') ++i;
 
-    return new string(tmp);
+    return new string(url, i);
 }
 
 
-- 
2.7.4