Buffer overflow in svg transformation reading
Bug #1047524 reported by
Ralf Engels
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Inkscape |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
While reviewing the svg reading code I found a problem in svg-affine.cpp
When reading the arguments of a transformation a buffer with 6 values is used but later on an unlimited amount of matrix arguments can be read.
The other buffer used in this function seems to be protected sufficiently.
The attached patch solves the problem.
Revision history for this message
| Ralf Engels (ralf-engels) wrote | #1 |
| tags: | added: code-design |
Revision history for this message
| jazzynico (jazzynico) wrote | #2 |
| Changed in inkscape: | |
| importance: | Undecided → Low |
Revision history for this message
| Martin Owens (doctormo) wrote | #3 |
| tags: | added: bug-migration |
| Changed in inkscape: | |
| status: | New → Fix Released |
| information type: | Private Security → Public |
To post a comment you must log in.
Apparently the args count is done later in the code, line 78:
--
if (n_args == sizeof (args) / sizeof (args[0])) return false; /* Too many args */
--
It's a bit weird, and protecting the code in the loop seems to be safer indeed.