X-Git-Url: http://review.tizen.org/git/?p=platform%2Fcore%2Fuifw%2Fdali-toolkit.git;a=blobdiff_plain;f=dali-toolkit%2Fthird-party%2Fnanosvg%2Fnanosvg.cc;h=f8b45f91908b6c58515093bb69cbf8db0121ec0d;hp=1022a981aed642e71549c3000c413526c4dec937;hb=26c58f8cd94d162df81d21d347c3c56d477b405b;hpb=1e5f8e03bf0dfd40c9efd641d915dd1173eae4e5 diff --git a/dali-toolkit/third-party/nanosvg/nanosvg.cc b/dali-toolkit/third-party/nanosvg/nanosvg.cc index 1022a98..f8b45f9 100644 --- a/dali-toolkit/third-party/nanosvg/nanosvg.cc +++ b/dali-toolkit/third-party/nanosvg/nanosvg.cc @@ -1082,7 +1082,7 @@ static unsigned int nsvg__parseColorHex(const char* str) static unsigned int nsvg__parseColorRGB(const char* str) { int r = -1, g = -1, b = -1; - char s1[32]="", s2[32]=""; + char s1[33]="", s2[33]=""; /** * In the original file, the formatted data reading did not specify the string with width limitation. * To prevent the possible overflow, we replace '%s' with '%32s' here. @@ -1320,7 +1320,7 @@ static int nsvg__parseUnits(const char* units) static NSVGcoordinate nsvg__parseCoordinateRaw(const char* str) { NSVGcoordinate coord = {0, NSVG_UNITS_USER}; - char units[32]=""; + char units[33]=""; /** * In the original file, the formatted data reading did not specify the string with width limitation. * To prevent the possible overflow, we replace '%s' with '%32s' here. @@ -2753,14 +2753,21 @@ NSVGimage* nsvgParse(char* input, const char* units, float dpi) NSVGimage* nsvgParseFromFile(const char* filename, const char* units, float dpi) { FILE* fp = NULL; - size_t size; + size_t size = 0; + long value = 0; char* data = NULL; NSVGimage* image = NULL; fp = fopen(filename, "rb"); if (!fp) goto error; fseek(fp, 0, SEEK_END); - size = ftell(fp); + value = ftell(fp); + /** + * In the original file, unsigned long type 'size' gets a return value. But, the return value of 'ftell()' is + * signed long type. To prevent interpreting an unexpected large value, we put the comparitive condition here. + */ + if( value < 0 ) goto error; + size = value; fseek(fp, 0, SEEK_SET); data = (char*)malloc(size+1); if (data == NULL) goto error;