bgo#738050 - Handle the case where a list of coordinate pairs has an odd number of elements

Lists of points come in coordinate pairs, but we didn't have any checking for that.
It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate
of an x,y pair, that was in fact missing, leading to an out-of-bounds array read.

In that case, we now reuse the last-known y coordinate.

Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050Signed-off-by: Federico Mena Quintero's avatarFederico Mena Quintero <federico@gnome.org>
parent 7803753d
......@@ -169,10 +169,22 @@ _rsvg_node_poly_build_path (const char *value,
/* "L %f %f " */
for (i = 2; i < pointlist_len; i += 2) {
double p;
g_string_append (d, " L ");
g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i]));
g_string_append_c (d, ' ');
g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i + 1]));
/* We expect points to come in coordinate pairs. But if there is a
* missing part of one pair in a corrupt SVG, we'll have an incomplete
* list. In that case, we reuse the last-known Y coordinate.
*/
if (i + 1 < pointlist_len)
p = pointlist[i + 1];
else
p = pointlist[i - 1];
g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), p));
}
if (close_path)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment