From 80f95dfaeb92c44e49e51b8a69e301ea879b846b Mon Sep 17 00:00:00 2001 From: Hans Breuer Date: Thu, 3 Oct 2013 20:04:37 +0200 Subject: [PATCH 24/24] Bug 709017 [warningectomy] array subscript is above array bounds Get rid of the temporary array for font name, loose the limitation of maximum font name length and spare a string copy. --- lib/dia_svg.c | 82 ++++++++++++++++------------------------------------------- 1 file changed, 22 insertions(+), 60 deletions(-) diff --git a/lib/dia_svg.c b/lib/dia_svg.c index eea21b2..4eec0d0 100644 --- a/lib/dia_svg.c +++ b/lib/dia_svg.c @@ -127,11 +127,6 @@ _parse_color(gint32 *color, const char *str) return TRUE; } -enum -{ - FONT_NAME_LENGTH_MAX = 40 -}; - /** This function not only parses the style attribute of the given node * it also extracts some of the style properties directly. * @param node An XML node to parse a style from. @@ -144,9 +139,7 @@ void dia_svg_parse_style(xmlNodePtr node, DiaSvgStyle *s, real user_scale) { xmlChar *str; - gchar temp[FONT_NAME_LENGTH_MAX+1]; /* font-family names will be limited to 40 characters */ int i = 0; - gboolean over = FALSE; char *family = NULL, *style = NULL, *weight = NULL; str = xmlGetProp(node, (const xmlChar *)"style"); @@ -161,68 +154,37 @@ dia_svg_parse_style(xmlNodePtr node, DiaSvgStyle *s, real user_scale) if (!strncmp("font-family:", ptr, 12)) { ptr += 12; while ((ptr[0] != '\0') && g_ascii_isspace(ptr[0])) ptr++; - i = 0; over = FALSE; - while (ptr[0] != '\0' && ptr[0] != ';' && !over) { - if (i < FONT_NAME_LENGTH_MAX) { - temp[i] = ptr[0]; - } else over = TRUE; - i++; - ptr++; - } - temp[i] = '\0'; - - if (!over) { - if (strcmp (temp, "sanserif") == 0 || strcmp (temp, "sans-serif") == 0) - family = g_strdup ("sans"); /* special name adaption */ - else - family = g_strdup(temp); - } + i = 0; + while (ptr[i] != '\0' && ptr[i] != ';') ++i; + /* with i==0 we fall back to 'sans' too */ + if (strncmp (ptr, "sanserif", i) == 0 || strncmp (ptr, "sans-serif", i) == 0) + family = g_strdup ("sans"); /* special name adaption */ + else + family = i > 0 ? g_strndup(ptr, i) : NULL; + ptr += i; } else if (!strncmp("font-weight:", ptr, 12)) { ptr += 12; while ((ptr[0] != '\0') && g_ascii_isspace(ptr[0])) ptr++; - i = 0; over = FALSE; - while (ptr[0] != '\0' && ptr[0] != ';' && !over) { - if (i < FONT_NAME_LENGTH_MAX) { - temp[i] = ptr[0]; - } else over = TRUE; - i++; - ptr++; - } - temp[i] = '\0'; - - if (!over) weight = g_strdup(temp); + i = 0; + while (ptr[i] != '\0' && ptr[i] != ';') ++i; + weight = i > 0 ? g_strndup (ptr, i) : NULL; + ptr += i; } else if (!strncmp("font-style:", ptr, 11)) { ptr += 11; while ((ptr[0] != '\0') && g_ascii_isspace(ptr[0])) ptr++; - i = 0; over = FALSE; - while (ptr[0] != '\0' && ptr[0] != ';' && !over) { - if (i < FONT_NAME_LENGTH_MAX) { - temp[i] = ptr[0]; - } else over = TRUE; - i++; - ptr++; - } - temp[i] = '\0'; - - if (!over) style = g_strdup(temp); + i = 0; + while (ptr[i] != '\0' && ptr[i] != ';') ++i; + style = i > 0 ? g_strndup(ptr, i) : NULL; + ptr += i; } else if (!strncmp("font-size:", ptr, 10)) { ptr += 10; while ((ptr[0] != '\0') && g_ascii_isspace(ptr[0])) ptr++; - i = 0; over = FALSE; - while (ptr[0] != '\0' && ptr[0] != ';' && !over) { - if (i < FONT_NAME_LENGTH_MAX) { - temp[i] = ptr[0]; - } else over = TRUE; - i++; - ptr++; - } - temp[i] = '\0'; - - if (!over) { - s->font_height = g_ascii_strtod(temp, NULL); - if (user_scale > 0) - s->font_height /= user_scale; - } + i = 0; + while (ptr[i] != '\0' && ptr[i] != ';') ++i; + s->font_height = g_ascii_strtod(ptr, NULL); + ptr += i; + if (user_scale > 0) + s->font_height /= user_scale; } else if (!strncmp("text-anchor:", ptr, 12)) { ptr += 12; while ((ptr[0] != '\0') && g_ascii_isspace(ptr[0])) ptr++; -- 1.8.4.4