From 6262016272434fc5cc5f607b01864824f211a2e4 Mon Sep 17 00:00:00 2001
From: JunsuChoi <jsuya.choi@samsung.com>
Date: Mon, 2 Nov 2020 13:05:44 +0900
Subject: [PATCH] vg_load_svg: Prevent memory overflow for tag_name

Summary:
When copying tag_name, if length of referenced string is longer
than general case, it is not used as tag_name.

Test Plan: N/A

Reviewers: Hermet, smohanty

Reviewed By: Hermet

Subscribers: kimcinoo, herb, cedric, #committers, #reviewers

Tags: #efl

Differential Revision: https://phab.enlightenment.org/D12185

Change-Id: I2736b0b3e97b8a1ac0c3da4f18305fa7a3c80f85
---
 src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c b/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c
index e68edbb..e8c46ce 100644
--- a/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c
+++ b/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c
@@ -2279,6 +2279,7 @@ _evas_svg_loader_xml_open_parser(Evas_SVG_Loader *loader,
         attrs_length = length - sz;
         while ((sz > 0) && (isspace(content[sz - 1])))
           sz--;
+        if ((unsigned int)sz > sizeof(tag_name)) return;
         strncpy(tag_name, content, sz);
         tag_name[sz] = '\0';
      }
-- 
2.7.4