Buffer overflow in svg transformation reading
Bug #1047524 reported by
Ralf Engels
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Inkscape |
Fix Released
|
Low
|
Unassigned |
Bug Description
While reviewing the svg reading code I found a problem in svg-affine.cpp
When reading the arguments of a transformation a buffer with 6 values is used but later on an unlimited amount of matrix arguments can be read.
The other buffer used in this function seems to be protected sufficiently.
The attached patch solves the problem.
tags: | added: code-design |
information type: | Private Security → Public |
To post a comment you must log in.
Apparently the args count is done later in the code, line 78:
--
if (n_args == sizeof (args) / sizeof (args[0])) return false; /* Too many args */
--
It's a bit weird, and protecting the code in the loop seems to be safer indeed.