From 9befa48a3187978e2ad423c00d0f9995e83e80e4 Mon Sep 17 00:00:00 2001
From: Hermet Park <chuneon.park@samsung.com>
Date: Thu, 24 Jun 2021 16:45:58 +0900
Subject: [PATCH] svg_loader: prevent heap memory overflow.

if the input points are odd-numberd by invalid svg data, it could access invalid memory.

Prevents it just in case.
---
 src/loaders/svg/tvgSvgSceneBuilder.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/loaders/svg/tvgSvgSceneBuilder.cpp b/src/loaders/svg/tvgSvgSceneBuilder.cpp
index 6c6b52f..ec0d8a5 100644
--- a/src/loaders/svg/tvgSvgSceneBuilder.cpp
+++ b/src/loaders/svg/tvgSvgSceneBuilder.cpp
@@ -291,7 +291,7 @@ static bool _appendShape(SvgNode* node, Shape* shape, float vx, float vy, float
         case SvgNodeType::Polygon: {
             if (node->node.polygon.pointsCount < 2) break;
             shape->moveTo(node->node.polygon.points[0], node->node.polygon.points[1]);
-            for (int i = 2; i < node->node.polygon.pointsCount; i += 2) {
+            for (int i = 2; i < node->node.polygon.pointsCount - 1; i += 2) {
                 shape->lineTo(node->node.polygon.points[i], node->node.polygon.points[i + 1]);
             }
             shape->close();
@@ -300,7 +300,7 @@ static bool _appendShape(SvgNode* node, Shape* shape, float vx, float vy, float
         case SvgNodeType::Polyline: {
             if (node->node.polygon.pointsCount < 2) break;
             shape->moveTo(node->node.polygon.points[0], node->node.polygon.points[1]);
-            for (int i = 2; i < node->node.polygon.pointsCount; i += 2) {
+            for (int i = 2; i < node->node.polygon.pointsCount - 1; i += 2) {
                 shape->lineTo(node->node.polygon.points[i], node->node.polygon.points[i + 1]);
             }
             break;
-- 
2.7.4