From 49a3a559d4ba96f80290eb6a0b4cdc48f421d8b4 Mon Sep 17 00:00:00 2001
From: Ozkan Sezer <[EMAIL REDACTED]>
Date: Fri, 27 May 2022 20:04:10 +0300
Subject: [PATCH] nanosvg: fix access to uninitialized memory in case of a bad
file:
==32600== Conditional jump or move depends on uninitialised value(s)
==32600== at 0x4020678: nsvg__deleteStyles (nanosvg.h:673)
==32600== by 0x40207A5: nsvg__deleteParser (nanosvg.h:711)
==32600== by 0x4027F06: nsvgParse (nanosvg.h:3033)
==32600== by 0x402C390: IMG_LoadSizedSVG_RW (IMG_svg.c:122)
==32600== by 0x402C5C7: IMG_LoadSVG_RW (IMG_svg.c:190)
==32600== by 0x40113DC: IMG_LoadTyped_RW (IMG.c:289)
==32600== by 0x4011205: IMG_Load (IMG.c:205)
==32600== by 0x401145D: IMG_LoadTexture (IMG.c:306)
==32600== by 0x8048DA0: main (showimage.c:104)
==32600==
INFO: Couldn't load broken.svg: Couldn't parse SVG image
(The svg file in question was the one from commit a1f2a0d31c15a.)
While we are there, replace all those malloc+memset pairs into a
calloc().
---
IMG_svg.c | 1 +
nanosvg.h | 28 +++++++++++-----------------
nanosvgrast.h | 8 +++-----
3 files changed, 15 insertions(+), 22 deletions(-)
diff --git a/IMG_svg.c b/IMG_svg.c
index 6792c32..682e29a 100644
--- a/IMG_svg.c
+++ b/IMG_svg.c
@@ -38,6 +38,7 @@ static float SDLCALL SDL_roundf(float x)
/* Replace C runtime functions with SDL C runtime functions for building on Windows */
#define free SDL_free
#define malloc SDL_malloc
+#define calloc SDL_calloc
#undef memcpy
#define memcpy SDL_memcpy
#undef memset
diff --git a/nanosvg.h b/nanosvg.h
index 0ceb2c7..f19aeaa 100644
--- a/nanosvg.h
+++ b/nanosvg.h
@@ -628,16 +628,14 @@ static void nsvg__curveBounds(float* bounds, float* curve)
}
}
-static NSVGparser* nsvg__createParser()
+static NSVGparser* nsvg__createParser(void)
{
NSVGparser* p;
- p = (NSVGparser*)malloc(sizeof(NSVGparser));
+ p = (NSVGparser*)calloc(1, sizeof(NSVGparser));
if (p == NULL) goto error;
- memset(p, 0, sizeof(NSVGparser));
- p->image = (NSVGimage*)malloc(sizeof(NSVGimage));
+ p->image = (NSVGimage*)calloc(1, sizeof(NSVGimage));
if (p->image == NULL) goto error;
- memset(p->image, 0, sizeof(NSVGimage));
// Init style
nsvg__xformIdentity(p->attr[0].xform);
@@ -668,9 +666,9 @@ static NSVGparser* nsvg__createParser()
static void nsvg__deleteStyles(NSVGstyles* style) {
while (style) {
NSVGstyles *next = style->next;
- if (style->name!= NULL)
+ if (style->name)
free(style->name);
- if (style->description != NULL)
+ if (style->description)
free(style->description);
free(style);
style = next;
@@ -980,9 +978,8 @@ static void nsvg__addShape(NSVGparser* p)
if (p->plist == NULL)
return;
- shape = (NSVGshape*)malloc(sizeof(NSVGshape));
+ shape = (NSVGshape*)calloc(1, sizeof(NSVGshape));
if (shape == NULL) goto error;
- memset(shape, 0, sizeof(NSVGshape));
memcpy(shape->id, attr->id, sizeof shape->id);
scale = nsvg__getAverageScale(attr->xform);
@@ -1079,9 +1076,8 @@ static void nsvg__addPath(NSVGparser* p, char closed)
if ((p->npts % 3) != 1)
return;
- path = (NSVGpath*)malloc(sizeof(NSVGpath));
+ path = (NSVGpath*)calloc(1, sizeof(NSVGpath));
if (path == NULL) goto error;
- memset(path, 0, sizeof(NSVGpath));
path->pts = (float*)malloc(p->npts*2*sizeof(float));
if (path->pts == NULL) goto error;
@@ -2627,9 +2623,8 @@ static void nsvg__parseSVG(NSVGparser* p, const char** attr)
static void nsvg__parseGradient(NSVGparser* p, const char** attr, char type)
{
int i;
- NSVGgradientData* grad = (NSVGgradientData*)malloc(sizeof(NSVGgradientData));
+ NSVGgradientData* grad = (NSVGgradientData*)calloc(1, sizeof(NSVGgradientData));
if (grad == NULL) return;
- memset(grad, 0, sizeof(NSVGgradientData));
grad->units = NSVG_OBJECT_SPACE;
grad->type = type;
if (grad->type == NSVG_PAINT_LINEAR_GRADIENT) {
@@ -2825,7 +2820,7 @@ static char *nsvg__strndup(const char *s, size_t n)
result = (char *)malloc(len + 1);
if (!result)
- return 0;
+ return NULL;
result[len] = '\0';
return (char *)memcpy(result, s, len);
@@ -2844,7 +2839,7 @@ static void nsvg__content(void* ud, const char* s)
if (state == 1) {
NSVGstyles* next = p->styles;
- p->styles = (NSVGstyles*)malloc(sizeof(NSVGstyles));
+ p->styles = (NSVGstyles*)calloc(1, sizeof(NSVGstyles));
p->styles->next = next;
p->styles->name = nsvg__strndup(start, (size_t)(s - start));
start = s + 1;
@@ -3074,9 +3069,8 @@ NSVG_EXPORT NSVGpath* nsvgDuplicatePath(NSVGpath* p)
if (p == NULL)
return NULL;
- res = (NSVGpath*)malloc(sizeof(NSVGpath));
+ res = (NSVGpath*)calloc(1, sizeof(NSVGpath));
if (res == NULL) goto error;
- memset(res, 0, sizeof(NSVGpath));
res->pts = (float*)malloc(p->npts*2*sizeof(float));
if (res->pts == NULL) goto error;
diff --git a/nanosvgrast.h b/nanosvgrast.h
index b2a7cf5..27d3aaf 100644
--- a/nanosvgrast.h
+++ b/nanosvgrast.h
@@ -152,11 +152,10 @@ struct NSVGrasterizer
int width, height, stride;
};
-NSVG_EXPORT NSVGrasterizer* nsvgCreateRasterizer()
+NSVG_EXPORT NSVGrasterizer* nsvgCreateRasterizer(void)
{
- NSVGrasterizer* r = (NSVGrasterizer*)malloc(sizeof(NSVGrasterizer));
+ NSVGrasterizer* r = (NSVGrasterizer*)calloc(1, sizeof(NSVGrasterizer));
if (r == NULL) goto error;
- memset(r, 0, sizeof(NSVGrasterizer));
r->tessTol = 0.25f;
r->distTol = 0.01f;
@@ -199,9 +198,8 @@ static NSVGmemPage* nsvg__nextPage(NSVGrasterizer* r, NSVGmemPage* cur)
}
// Alloc new page
- newp = (NSVGmemPage*)malloc(sizeof(NSVGmemPage));
+ newp = (NSVGmemPage*)calloc(1, sizeof(NSVGmemPage));
if (newp == NULL) return NULL;
- memset(newp, 0, sizeof(NSVGmemPage));
// Add to linked list
if (cur != NULL)