cheng/nanosvg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: cheng:25241c5a8f8451d41ab1b02ab2d865b01600d949
Branches Tags
cheng:rho-fork
...
compare: cheng:ccdb1995134d340a93fb20e3a3d323ccb3838dd0
Branches Tags
cheng:rho-fork

11 Commits
25241c5a8f ... ccdb199513

Author SHA1 Message Date
Mikko Mononen
ccdb199513
Merge pull request #198 from ctrlcctrlv/CVE_2019_1000032 
Fix decimal values in color fields (nsvg__parseColorRGB, nsvg__parseColorHex)
 2021-09-03 21:24:42 +03:00
Greg Ercolano
419782d3d1 Fix decimal values in color fields (nsvg__parseColorRGB) 
Closes #136, fixes [CVE-2019-1000032](https://0day.work/cve-2019-1000032-memory-corruption-in-nanosvg/).
 2021-09-03 07:10:23 -04:00
Mikko Mononen
3cdd4a9d78
Merge pull request #196 from oehhar/master 
Fix for ticket #179 "division by 0" proposed by SergeySlice
 2021-03-30 23:20:21 +03:00
Harald Oehlmann
44e5e4c765 Fix for ticket #179 "division by 0" proposed by SergeySlice 2021-03-29 13:19:14 +02:00
Mikko Mononen
3e403ec72a
Merge pull request #189 from fvogelnew1/Fix-for-#188 
Update nanosvg.h
 2020-11-20 12:53:11 +02:00
fvogelnew1
45eb9f8bcc
Update nanosvg.h 
Fix https://github.com/memononen/nanosvg/issues/188
 2020-11-19 22:20:57 +01:00
Mikko Mononen
cc6c08d3a8 Restore example2 test file 2020-09-28 22:00:06 +03:00
Mikko Mononen
ddd39e9669 Fix for #185 
- prevent infinite loop when gradient ID is left to empty string
- prevent infinite loop when gradient references to self
- lookup up to 32 references back
 2020-09-28 10:49:46 +03:00
Mikko Mononen
e7f5981b1e Fix for #178 
- make sure nsvg__addPath() hands only valid number of pointts (1+N*3)
- require moveTo path command before handling other commands
- require (sign+)digit for a valid path command coordinate
- allow to add bezier segment only after there’s at leat one point (now
also consistent with nsvg__lineTo)
 2020-09-28 10:35:41 +03:00
Mikko Mononen
07a5e2a33c
Merge pull request #182 from oehhar/master 
Ticket #178: endless loop (DOS) when parsing crafted input via nsvgPa…
 2020-09-21 20:57:26 +03:00
Harald Oehlmann
dac455fd94 Ticket #178: endless loop (DOS) when parsing crafted input via nsvgParseFromFile() 
Fix be fvogel
 2020-09-21 13:53:54 +02:00
1 changed files with 79 additions and 46 deletions
Show Stats Expand all files Collapse all files

125
src/nanosvg.h
View File

@ -225,11 +225,6 @@ static int nsvg__isdigit(char c)
return c >= '0' && c <= '9';
}
static int nsvg__isnum(char c)
{
return strchr("0123456789+-.eE", c) != 0;
}
static NSVG_INLINE float nsvg__minf(float a, float b) { return a < b ? a : b; }
static NSVG_INLINE float nsvg__maxf(float a, float b) { return a > b ? a : b; }
@ -736,9 +731,11 @@ static void nsvg__lineTo(NSVGparser* p, float x, float y)
static void nsvg__cubicBezTo(NSVGparser* p, float cpx1, float cpy1, float cpx2, float cpy2, float x, float y)
{
nsvg__addPoint(p, cpx1, cpy1);
nsvg__addPoint(p, cpx2, cpy2);
nsvg__addPoint(p, x, y);
if (p->npts > 0) {
nsvg__addPoint(p, cpx1, cpy1);
nsvg__addPoint(p, cpx2, cpy2);
nsvg__addPoint(p, x, y);
}
}
static NSVGattrib* nsvg__getAttr(NSVGparser* p)
@ -808,7 +805,9 @@ static float nsvg__convertToPixels(NSVGparser* p, NSVGcoordinate c, float orig,
static NSVGgradientData* nsvg__findGradientData(NSVGparser* p, const char* id)
{
NSVGgradientData* grad = p->gradients;
while (grad) {
if (id == NULL || *id == '\0')
return NULL;
while (grad != NULL) {
if (strcmp(grad->id, id) == 0)
return grad;
grad = grad->next;
@ -825,19 +824,26 @@ static NSVGgradient* nsvg__createGradient(NSVGparser* p, const char* id, const f
NSVGgradient* grad;
float ox, oy, sw, sh, sl;
int nstops = 0;
int refIter;
data = nsvg__findGradientData(p, id);
if (data == NULL) return NULL;
// TODO: use ref to fill in all unset values too.
ref = data;
refIter = 0;
while (ref != NULL) {
NSVGgradientData* nextRef = NULL;
if (stops == NULL && ref->stops != NULL) {
stops = ref->stops;
nstops = ref->nstops;
break;
}
ref = nsvg__findGradientData(p, ref->ref);
nextRef = nsvg__findGradientData(p, ref->ref);
if (nextRef == ref) break; // prevent infite loops on malformed data
ref = nextRef;
refIter++;
if (refIter > 32) break; // prevent infite loops on malformed data
}
if (stops == NULL) return NULL;
@ -1040,6 +1046,10 @@ static void nsvg__addPath(NSVGparser* p, char closed)
if (closed)
nsvg__lineTo(p, p->pts[0], p->pts[1]);
// Expect 1 + N*3 points (N = number of cubic bezier segments).
if ((p->npts % 3) != 1)
return;
path = (NSVGpath*)malloc(sizeof(NSVGpath));
if (path == NULL) goto error;
memset(path, 0, sizeof(NSVGpath));
@ -1205,35 +1215,22 @@ static const char* nsvg__getNextPathItem(const char* s, char* it)
static unsigned int nsvg__parseColorHex(const char* str)
{
unsigned int c = 0, r = 0, g = 0, b = 0;
int n = 0;
str++; // skip #
// Calculate number of characters.
while(str[n] && !nsvg__isspace(str[n]))
n++;
if (n == 6) {
sscanf(str, "%x", &c);
} else if (n == 3) {
sscanf(str, "%x", &c);
c = (c&0xf) | ((c&0xf0) << 4) | ((c&0xf00) << 8);
c |= c<<4;
}
r = (c >> 16) & 0xff;
g = (c >> 8) & 0xff;
b = c & 0xff;
return NSVG_RGB(r,g,b);
unsigned int r=0, g=0, b=0;
if (sscanf(str, "#%2x%2x%2x", &r, &g, &b) == 3 ) // 2 digit hex
return NSVG_RGB(r, g, b);
if (sscanf(str, "#%1x%1x%1x", &r, &g, &b) == 3 ) // 1 digit hex, e.g. #abc -> 0xccbbaa
return NSVG_RGB(r*17, g*17, b*17); // same effect as (r<<4|r), (g<<4|g), ..
return NSVG_RGB(128, 128, 128);
}
static unsigned int nsvg__parseColorRGB(const char* str)
{
int r = -1, g = -1, b = -1;
char s1[32]="", s2[32]="";
sscanf(str + 4, "%d%[%%, \t]%d%[%%, \t]%d", &r, s1, &g, s2, &b);
if (strchr(s1, '%')) {
return NSVG_RGB((r*255)/100,(g*255)/100,(b*255)/100);
} else {
return NSVG_RGB(r,g,b);
}
unsigned int r=0, g=0, b=0;
if (sscanf(str, "rgb(%u, %u, %u)", &r, &g, &b) == 3) // decimal integers
return NSVG_RGB(r, g, b);
if (sscanf(str, "rgb(%u%%, %u%%, %u%%)", &r, &g, &b) == 3) // decimal integer percentage
return NSVG_RGB(r*255/100, g*255/100, b*255/100);
return NSVG_RGB(128, 128, 128);
}
typedef struct NSVGNamedColor {
@ -1458,6 +1455,15 @@ static int nsvg__parseUnits(const char* units)
return NSVG_UNITS_USER;
}
static int nsvg__isCoordinate(const char* s)
{
// optional sign
if (*s == '-' || *s == '+')
s++;
// must have at least one digit, or start by a dot
return (nsvg__isdigit(*s) || *s == '.');
}
static NSVGcoordinate nsvg__parseCoordinateRaw(const char* str)
{
NSVGcoordinate coord = {0, NSVG_UNITS_USER};
@ -1597,25 +1603,32 @@ static int nsvg__parseRotate(float* xform, const char* str)
static void nsvg__parseTransform(float* xform, const char* str)
{
float t[6];
int len;
nsvg__xformIdentity(xform);
while (*str)
{
if (strncmp(str, "matrix", 6) == 0)
str += nsvg__parseMatrix(t, str);
len = nsvg__parseMatrix(t, str);
else if (strncmp(str, "translate", 9) == 0)
str += nsvg__parseTranslate(t, str);
len = nsvg__parseTranslate(t, str);
else if (strncmp(str, "scale", 5) == 0)
str += nsvg__parseScale(t, str);
len = nsvg__parseScale(t, str);
else if (strncmp(str, "rotate", 6) == 0)
str += nsvg__parseRotate(t, str);
len = nsvg__parseRotate(t, str);
else if (strncmp(str, "skewX", 5) == 0)
str += nsvg__parseSkewX(t, str);
len = nsvg__parseSkewX(t, str);
else if (strncmp(str, "skewY", 5) == 0)
str += nsvg__parseSkewY(t, str);
len = nsvg__parseSkewY(t, str);
else{
++str;
continue;
}
if (len != 0) {
str += len;
} else {
++str;
continue;
}
nsvg__xformPremultiply(xform, t);
}
@ -1876,8 +1889,11 @@ static int nsvg__getArgsPerElement(char cmd)
case 'a':
case 'A':
return 7;
case 'z':
case 'Z':
return 0;
}
return 0;
return -1;
}
static void nsvg__pathMoveTo(NSVGparser* p, float* cpx, float* cpy, float* args, int rel)
@ -2158,7 +2174,12 @@ static void nsvg__pathArcTo(NSVGparser* p, float* cpx, float* cpy, float* args,
// The loop assumes an iteration per end point (including start and end), this +1.
ndivs = (int)(fabsf(da) / (NSVG_PI*0.5f) + 1.0f);
hda = (da / (float)ndivs) / 2.0f;
kappa = fabsf(4.0f / 3.0f * (1.0f - cosf(hda)) / sinf(hda));
// Fix for ticket #179: division by 0: avoid cotangens around 0 (infinite)
if ((hda < 1e-3f) && (hda > -1e-3f))
hda *= 0.5f;
else
hda = (1.0f - cosf(hda)) / sinf(hda);
kappa = fabsf(4.0f / 3.0f * hda);
if (da < 0.0f)
kappa = -kappa;
@ -2187,6 +2208,7 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
float args[10];
int nargs;
int rargs = 0;
char initPoint;
float cpx, cpy, cpx2, cpy2;
const char* tmp[4];
char closedFlag;
@ -2209,13 +2231,14 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
nsvg__resetPath(p);
cpx = 0; cpy = 0;
cpx2 = 0; cpy2 = 0;
initPoint = 0;
closedFlag = 0;
nargs = 0;
while (*s) {
s = nsvg__getNextPathItem(s, item);
if (!*item) break;
if (nsvg__isnum(item[0])) {
if (cmd != '\0' && nsvg__isCoordinate(item)) {
if (nargs < 10)
args[nargs++] = (float)nsvg__atof(item);
if (nargs >= rargs) {
@ -2228,6 +2251,7 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
cmd = (cmd == 'm') ? 'l' : 'L';
rargs = nsvg__getArgsPerElement(cmd);
cpx2 = cpx; cpy2 = cpy;
initPoint = 1;
break;
case 'l':
case 'L':
@ -2277,7 +2301,6 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
}
} else {
cmd = item[0];
rargs = nsvg__getArgsPerElement(cmd);
if (cmd == 'M' || cmd == 'm') {
// Commit path.
if (p->npts > 0)
@ -2286,7 +2309,11 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
nsvg__resetPath(p);
closedFlag = 0;
nargs = 0;
} else if (cmd == 'Z' || cmd == 'z') {
} else if (initPoint == 0) {
// Do not allow other commands until initial point has been set (moveTo called once).
cmd = '\0';
}
if (cmd == 'Z' || cmd == 'z') {
closedFlag = 1;
// Commit path.
if (p->npts > 0) {
@ -2302,6 +2329,12 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
closedFlag = 0;
nargs = 0;
}
rargs = nsvg__getArgsPerElement(cmd);
if (rargs == -1) {
// Command not recognized
cmd = '\0';
rargs = 0;
}
}
}
// Commit path.