From 4310325aba2a1062ffe6f3b54cc752a629f735ea Mon Sep 17 00:00:00 2001 From: djack1010 Date: Sat, 22 Apr 2017 23:41:19 +0200 Subject: [PATCH 1/4] Check buffer length in parseCoordinateRaw --- src/nanosvg.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/nanosvg.h b/src/nanosvg.h index 6493aa6..1ad8a9a 100644 --- a/src/nanosvg.h +++ b/src/nanosvg.h @@ -1388,7 +1388,7 @@ static NSVGcoordinate nsvg__parseCoordinateRaw(const char* str) { NSVGcoordinate coord = {0, NSVG_UNITS_USER}; char units[32]=""; - sscanf(str, "%f%s", &coord.value, units); + sscanf(str, "%f%31s", &coord.value, units); coord.units = nsvg__parseUnits(units); return coord; } @@ -2799,7 +2799,7 @@ NSVGimage* nsvgParse(char* input, const char* units, float dpi) p->dpi = dpi; nsvg__parseXML(input, nsvg__startElement, nsvg__endElement, nsvg__content, p); - + // Scale to viewBox nsvg__scaleToViewbox(p, units); From fe14c0386c361559822a3e447e7f8baedce33556 Mon Sep 17 00:00:00 2001 From: djack1010 Date: Sat, 22 Apr 2017 23:45:24 +0200 Subject: [PATCH 2/4] Ignore malformed attributes in XML --- src/nanosvg.h | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/nanosvg.h b/src/nanosvg.h index 1ad8a9a..70175b3 100644 --- a/src/nanosvg.h +++ b/src/nanosvg.h @@ -279,6 +279,9 @@ static void nsvg__parseElement(char* s, // Get attribs while (!end && *s && nattr < NSVG_XML_MAX_ATTRIBS-3) { + char* attr_ptr = NULL; + char* value_ptr = NULL; + // Skip white space before the attrib name while (*s && nsvg__isspace(*s)) s++; if (!*s) break; @@ -286,7 +289,7 @@ static void nsvg__parseElement(char* s, end = 1; break; } - attr[nattr++] = s; + attr_ptr = s; // Find end of the attrib name. while (*s && !nsvg__isspace(*s) && *s != '=') s++; if (*s) { *s++ = '\0'; } @@ -296,9 +299,15 @@ static void nsvg__parseElement(char* s, quote = *s; s++; // Store value and find the end of it. - attr[nattr++] = s; + value_ptr = s; while (*s && *s != quote) s++; if (*s) { *s++ = '\0'; } + + // Store only well formed attributes + if (attr_ptr && value_ptr) { + attr[nattr++] = attr_ptr; + attr[nattr++] = value_ptr; + } } // List terminator From 41dcaefdd0ca42cfec8f3e1e4efa6e5c52e32dcd Mon Sep 17 00:00:00 2001 From: djack1010 Date: Mon, 24 Apr 2017 11:41:21 +0200 Subject: [PATCH 3/4] Applied requested changes --- src/nanosvg.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/nanosvg.h b/src/nanosvg.h index 70175b3..562b01c 100644 --- a/src/nanosvg.h +++ b/src/nanosvg.h @@ -279,17 +279,17 @@ static void nsvg__parseElement(char* s, // Get attribs while (!end && *s && nattr < NSVG_XML_MAX_ATTRIBS-3) { - char* attr_ptr = NULL; - char* value_ptr = NULL; + char* name = NULL; + char* value = NULL; - // Skip white space before the attrib name + // Skip white space before the attrib char* name = NULL; while (*s && nsvg__isspace(*s)) s++; if (!*s) break; if (*s == '/') { end = 1; break; } - attr_ptr = s; + name = s; // Find end of the attrib name. while (*s && !nsvg__isspace(*s) && *s != '=') s++; if (*s) { *s++ = '\0'; } @@ -299,14 +299,14 @@ static void nsvg__parseElement(char* s, quote = *s; s++; // Store value and find the end of it. - value_ptr = s; + value = s; while (*s && *s != quote) s++; if (*s) { *s++ = '\0'; } // Store only well formed attributes - if (attr_ptr && value_ptr) { - attr[nattr++] = attr_ptr; - attr[nattr++] = value_ptr; + if (name && value) { + attr[nattr++] = name; + attr[nattr++] = value; } } From a53bdc751224349ab3db315ee56f62ea2e60a7e6 Mon Sep 17 00:00:00 2001 From: djack1010 Date: Tue, 25 Apr 2017 11:12:41 +0200 Subject: [PATCH 4/4] Revert wrong comment --- src/nanosvg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nanosvg.h b/src/nanosvg.h index 562b01c..8a4b6fa 100644 --- a/src/nanosvg.h +++ b/src/nanosvg.h @@ -282,7 +282,7 @@ static void nsvg__parseElement(char* s, char* name = NULL; char* value = NULL; - // Skip white space before the attrib char* name = NULL; + // Skip white space before the attrib name while (*s && nsvg__isspace(*s)) s++; if (!*s) break; if (*s == '/') {