hermet pushed a commit to branch master.
http://git.enlightenment.org/core/efl.git/commit/?id=888e1e74012a4d17bb56ef3d2be2dd6d635c449b
commit 888e1e74012a4d17bb56ef3d2be2dd6d635c449b
Author: JunsuChoi <jsuya.c...@samsung.com>
Date: Mon Nov 2 13:05:44 2020 +0900
vg_load_svg: Prevent memory overflow for tag_name
Summary:
When copying tag_name, if length of referenced string is longer
than general case, it is not used as tag_name.
Test Plan: N/A
Reviewers: Hermet, smohanty
Reviewed By: Hermet
Subscribers: kimcinoo, herb, cedric, #committers, #reviewers
Tags: #efl
Differential Revision: https://phab.enlightenment.org/D12185
---
src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c
b/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c
index e68edbb0c9..e8c46ceb1f 100644
--- a/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c
+++ b/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c
@@ -2279,6 +2279,7 @@ _evas_svg_loader_xml_open_parser(Evas_SVG_Loader *loader,
attrs_length = length - sz;
while ((sz > 0) && (isspace(content[sz - 1])))
sz--;
+ if ((unsigned int)sz > sizeof(tag_name)) return;
strncpy(tag_name, content, sz);
tag_name[sz] = '\0';
}
--
