45c8317c00
CVE-2018-18544 CVE-2019-7397 CVE-2019-11005 CVE-2019-11006 CVE-2019-11010 CVE-2019-12921 CVE-2020-10938 CVE-2020-12672
31 lines
1.2 KiB
Diff
31 lines
1.2 KiB
Diff
SVGStartElement(): Fix stack buffer overflow while parsing quoted font family value.
|
|
(CVE-2019-11005)
|
|
|
|
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d
|
|
|
|
diff -r f7610c1281c1 -r b6fb77d7d54d coders/svg.c
|
|
--- a/coders/svg.c Fri Apr 05 08:13:14 2019 -0500
|
|
+++ b/coders/svg.c Fri Apr 05 08:43:15 2019 -0500
|
|
@@ -1745,12 +1745,12 @@
|
|
font-family. Maybe we need a generalized solution for
|
|
this.
|
|
*/
|
|
- if ((value[0] == '\'') && (value[strlen(value)-1] == '\''))
|
|
+ int value_length;
|
|
+ if ((value[0] == '\'') && ((value_length=(int) strlen(value)) > 2)
|
|
+ && (value[value_length-1] == '\''))
|
|
{
|
|
- char nvalue[MaxTextExtent];
|
|
- (void) strlcpy(nvalue,value+1,sizeof(nvalue));
|
|
- nvalue[strlen(nvalue)-1]='\0';
|
|
- MVGPrintf(svg_info->file,"font-family '%s'\n",nvalue);
|
|
+ MVGPrintf(svg_info->file,"font-family '%.*s'\n",
|
|
+ (int)(value_length-2),value+1);
|
|
}
|
|
else
|
|
{
|
|
|
|
|
|
|
|
|