From dbf8fdba6765f42ca87d03e5a0d8fd0101e74556 Mon Sep 17 00:00:00 2001 From: Martin Owens Date: Sun, 9 Oct 2022 13:59:27 -0400 Subject: [PATCH] Check for valid string when parsing attributes. During parsing we advance the string to skip over spaces but fail to check if the string is still valid, leaving lots of possible ways for inkscape to crash if the string ends before all the expected data is found. Fixes https://gitlab.com/inkscape/inkscape/-/issues/3786 --- src/style-internal.cpp | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/src/style-internal.cpp b/src/style-internal.cpp index d5d43e30ab..8c2386b752 100644 --- a/src/style-internal.cpp +++ b/src/style-internal.cpp @@ -1511,14 +1511,14 @@ SPIPaint::read( gchar const *str ) { // << " document: " << (style->object->document?"yes":"no") << std::endl; // } - if(!str ) return; - - reset( false ); // Do not init - - // Is this necessary? - while (g_ascii_isspace(*str)) { + // Advance to the next non-space + while (str && g_ascii_isspace(*str)) { ++str; } + if(!str) + return; + + reset( false ); // Do not init if (streq(str, "inherit")) { set = true; @@ -1562,10 +1562,16 @@ SPIPaint::read( gchar const *str ) { } } - while ( g_ascii_isspace(*str) ) { + // Ignore spaces between elements + while ( str && g_ascii_isspace(*str) ) { ++str; } + if (!str) { + std::cerr << "SPIPaint::read(): value ended prematurely." << std::endl; + return; + } + if (streq(str, "currentColor")) { set = true; paintOrigin = SP_CSS_PAINT_ORIGIN_CURRENT_COLOR; @@ -1594,9 +1600,15 @@ SPIPaint::read( gchar const *str ) { setColor( rgb0 ); set = true; - while (g_ascii_isspace(*str)) { + // Ignore spaces between color and icc profile. + while (str && g_ascii_isspace(*str)) { ++str; } + if (!str) { + std::cerr << "SPIPaint::read(): value ended prematurely." << std::endl; + return; + } + if (strneq(str, "icc-color(", 10)) { SVGICCColor* tmp = new SVGICCColor(); if ( ! sp_svg_read_icc_color( str, &str, tmp ) ) { -- GitLab