[3.0] Fix SVACE issue - prevent buffer overflow

author Heeyong Song <heeyong.song@samsung.com>

Fri, 14 Apr 2017 01:55:13 +0000 (10:55 +0900)

committer Heeyong Song <heeyong.song@samsung.com>

Mon, 17 Apr 2017 06:41:44 +0000 (15:41 +0900)
author Heeyong Song <heeyong.song@samsung.com>
Fri, 14 Apr 2017 01:55:13 +0000 (10:55 +0900)
committer Heeyong Song <heeyong.song@samsung.com>
Mon, 17 Apr 2017 06:41:44 +0000 (15:41 +0900)
diff --git a/dali-toolkit/third-party/nanosvg/nanosvg.cc b/dali-toolkit/third-party/nanosvg/nanosvg.cc

index 9643567..d3ffc40 100644 (file)
--- a/dali-toolkit/third-party/nanosvg/nanosvg.cc
+++ b/dali-toolkit/third-party/nanosvg/nanosvg.cc
@@ -1035,7 +1035,12 @@ static unsigned int nsvg__parseColorRGB(const char* str)
  {
      int r = -1, g = -1, b = -1;
      char s1[32]="", s2[32]="";
-    sscanf(str + 4, "%d%[%%, \t]%d%[%%, \t]%d", &r, s1, &g, s2, &b);
+
+    /**
+     * In the original file, the formatted data reading did not specify the string with width limitation.
+     * To prevent the possible overflow, we replace '%s' with '%32s' here.
+     */
+    sscanf(str + 4, "%d%32[%%, \t]%d%32[%%, \t]%d", &r, s1, &g, s2, &b);
      if (strchr(s1, '%')) {
          return NSVG_RGB((r*255)/100,(g*255)/100,(b*255)/100);
      } else {
author	Heeyong Song <heeyong.song@samsung.com>
	Fri, 14 Apr 2017 01:55:13 +0000 (10:55 +0900)
committer	Heeyong Song <heeyong.song@samsung.com>
	Mon, 17 Apr 2017 06:41:44 +0000 (15:41 +0900)