nanosvg: Sync with upstream 3e403ec

Includes some loop condition fixes after fuzzing.

The previously identified regression (#43641) is now fixed upstream.
This commit is contained in:
Rémi Verschelde 2020-11-20 12:01:23 +01:00
parent 68ddab547b
commit 1bb6491992
No known key found for this signature in database
GPG Key ID: C3336907360768E1
2 changed files with 62 additions and 21 deletions

View File

@ -435,7 +435,7 @@ Collection of single-file libraries used in Godot components.
## nanosvg ## nanosvg
- Upstream: https://github.com/memononen/nanosvg - Upstream: https://github.com/memononen/nanosvg
- Version: git (25241c5a8f8451d41ab1b02ab2d865b01600d949, 2019) - Version: git (3e403ec72a9145cbbcc6c63d94a4caf079aafec2, 2020)
- License: zlib - License: zlib
Files extracted from the upstream source: Files extracted from the upstream source:

View File

@ -225,11 +225,6 @@ static int nsvg__isdigit(char c)
return c >= '0' && c <= '9'; return c >= '0' && c <= '9';
} }
static int nsvg__isnum(char c)
{
return strchr("0123456789+-.eE", c) != 0;
}
static NSVG_INLINE float nsvg__minf(float a, float b) { return a < b ? a : b; } static NSVG_INLINE float nsvg__minf(float a, float b) { return a < b ? a : b; }
static NSVG_INLINE float nsvg__maxf(float a, float b) { return a > b ? a : b; } static NSVG_INLINE float nsvg__maxf(float a, float b) { return a > b ? a : b; }
@ -736,9 +731,11 @@ static void nsvg__lineTo(NSVGparser* p, float x, float y)
static void nsvg__cubicBezTo(NSVGparser* p, float cpx1, float cpy1, float cpx2, float cpy2, float x, float y) static void nsvg__cubicBezTo(NSVGparser* p, float cpx1, float cpy1, float cpx2, float cpy2, float x, float y)
{ {
if (p->npts > 0) {
nsvg__addPoint(p, cpx1, cpy1); nsvg__addPoint(p, cpx1, cpy1);
nsvg__addPoint(p, cpx2, cpy2); nsvg__addPoint(p, cpx2, cpy2);
nsvg__addPoint(p, x, y); nsvg__addPoint(p, x, y);
}
} }
static NSVGattrib* nsvg__getAttr(NSVGparser* p) static NSVGattrib* nsvg__getAttr(NSVGparser* p)
@ -808,7 +805,9 @@ static float nsvg__convertToPixels(NSVGparser* p, NSVGcoordinate c, float orig,
static NSVGgradientData* nsvg__findGradientData(NSVGparser* p, const char* id) static NSVGgradientData* nsvg__findGradientData(NSVGparser* p, const char* id)
{ {
NSVGgradientData* grad = p->gradients; NSVGgradientData* grad = p->gradients;
while (grad) { if (id == NULL || *id == '\0')
return NULL;
while (grad != NULL) {
if (strcmp(grad->id, id) == 0) if (strcmp(grad->id, id) == 0)
return grad; return grad;
grad = grad->next; grad = grad->next;
@ -825,19 +824,26 @@ static NSVGgradient* nsvg__createGradient(NSVGparser* p, const char* id, const f
NSVGgradient* grad; NSVGgradient* grad;
float ox, oy, sw, sh, sl; float ox, oy, sw, sh, sl;
int nstops = 0; int nstops = 0;
int refIter;
data = nsvg__findGradientData(p, id); data = nsvg__findGradientData(p, id);
if (data == NULL) return NULL; if (data == NULL) return NULL;
// TODO: use ref to fill in all unset values too. // TODO: use ref to fill in all unset values too.
ref = data; ref = data;
refIter = 0;
while (ref != NULL) { while (ref != NULL) {
NSVGgradientData* nextRef = NULL;
if (stops == NULL && ref->stops != NULL) { if (stops == NULL && ref->stops != NULL) {
stops = ref->stops; stops = ref->stops;
nstops = ref->nstops; nstops = ref->nstops;
break; break;
} }
ref = nsvg__findGradientData(p, ref->ref); nextRef = nsvg__findGradientData(p, ref->ref);
if (nextRef == ref) break; // prevent infite loops on malformed data
ref = nextRef;
refIter++;
if (refIter > 32) break; // prevent infite loops on malformed data
} }
if (stops == NULL) return NULL; if (stops == NULL) return NULL;
@ -1040,6 +1046,10 @@ static void nsvg__addPath(NSVGparser* p, char closed)
if (closed) if (closed)
nsvg__lineTo(p, p->pts[0], p->pts[1]); nsvg__lineTo(p, p->pts[0], p->pts[1]);
// Expect 1 + N*3 points (N = number of cubic bezier segments).
if ((p->npts % 3) != 1)
return;
path = (NSVGpath*)malloc(sizeof(NSVGpath)); path = (NSVGpath*)malloc(sizeof(NSVGpath));
if (path == NULL) goto error; if (path == NULL) goto error;
memset(path, 0, sizeof(NSVGpath)); memset(path, 0, sizeof(NSVGpath));
@ -1458,6 +1468,15 @@ static int nsvg__parseUnits(const char* units)
return NSVG_UNITS_USER; return NSVG_UNITS_USER;
} }
static int nsvg__isCoordinate(const char* s)
{
// optional sign
if (*s == '-' || *s == '+')
s++;
// must have at least one digit, or start by a dot
return (nsvg__isdigit(*s) || *s == '.');
}
static NSVGcoordinate nsvg__parseCoordinateRaw(const char* str) static NSVGcoordinate nsvg__parseCoordinateRaw(const char* str)
{ {
NSVGcoordinate coord = {0, NSVG_UNITS_USER}; NSVGcoordinate coord = {0, NSVG_UNITS_USER};
@ -1597,25 +1616,32 @@ static int nsvg__parseRotate(float* xform, const char* str)
static void nsvg__parseTransform(float* xform, const char* str) static void nsvg__parseTransform(float* xform, const char* str)
{ {
float t[6]; float t[6];
int len;
nsvg__xformIdentity(xform); nsvg__xformIdentity(xform);
while (*str) while (*str)
{ {
if (strncmp(str, "matrix", 6) == 0) if (strncmp(str, "matrix", 6) == 0)
str += nsvg__parseMatrix(t, str); len = nsvg__parseMatrix(t, str);
else if (strncmp(str, "translate", 9) == 0) else if (strncmp(str, "translate", 9) == 0)
str += nsvg__parseTranslate(t, str); len = nsvg__parseTranslate(t, str);
else if (strncmp(str, "scale", 5) == 0) else if (strncmp(str, "scale", 5) == 0)
str += nsvg__parseScale(t, str); len = nsvg__parseScale(t, str);
else if (strncmp(str, "rotate", 6) == 0) else if (strncmp(str, "rotate", 6) == 0)
str += nsvg__parseRotate(t, str); len = nsvg__parseRotate(t, str);
else if (strncmp(str, "skewX", 5) == 0) else if (strncmp(str, "skewX", 5) == 0)
str += nsvg__parseSkewX(t, str); len = nsvg__parseSkewX(t, str);
else if (strncmp(str, "skewY", 5) == 0) else if (strncmp(str, "skewY", 5) == 0)
str += nsvg__parseSkewY(t, str); len = nsvg__parseSkewY(t, str);
else{ else{
++str; ++str;
continue; continue;
} }
if (len != 0) {
str += len;
} else {
++str;
continue;
}
nsvg__xformPremultiply(xform, t); nsvg__xformPremultiply(xform, t);
} }
@ -1876,8 +1902,11 @@ static int nsvg__getArgsPerElement(char cmd)
case 'a': case 'a':
case 'A': case 'A':
return 7; return 7;
} case 'z':
case 'Z':
return 0; return 0;
}
return -1;
} }
static void nsvg__pathMoveTo(NSVGparser* p, float* cpx, float* cpy, float* args, int rel) static void nsvg__pathMoveTo(NSVGparser* p, float* cpx, float* cpy, float* args, int rel)
@ -2187,6 +2216,7 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
float args[10]; float args[10];
int nargs; int nargs;
int rargs = 0; int rargs = 0;
char initPoint;
float cpx, cpy, cpx2, cpy2; float cpx, cpy, cpx2, cpy2;
const char* tmp[4]; const char* tmp[4];
char closedFlag; char closedFlag;
@ -2209,13 +2239,14 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
nsvg__resetPath(p); nsvg__resetPath(p);
cpx = 0; cpy = 0; cpx = 0; cpy = 0;
cpx2 = 0; cpy2 = 0; cpx2 = 0; cpy2 = 0;
initPoint = 0;
closedFlag = 0; closedFlag = 0;
nargs = 0; nargs = 0;
while (*s) { while (*s) {
s = nsvg__getNextPathItem(s, item); s = nsvg__getNextPathItem(s, item);
if (!*item) break; if (!*item) break;
if (nsvg__isnum(item[0])) { if (cmd != '\0' && nsvg__isCoordinate(item)) {
if (nargs < 10) if (nargs < 10)
args[nargs++] = (float)nsvg__atof(item); args[nargs++] = (float)nsvg__atof(item);
if (nargs >= rargs) { if (nargs >= rargs) {
@ -2228,6 +2259,7 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
cmd = (cmd == 'm') ? 'l' : 'L'; cmd = (cmd == 'm') ? 'l' : 'L';
rargs = nsvg__getArgsPerElement(cmd); rargs = nsvg__getArgsPerElement(cmd);
cpx2 = cpx; cpy2 = cpy; cpx2 = cpx; cpy2 = cpy;
initPoint = 1;
break; break;
case 'l': case 'l':
case 'L': case 'L':
@ -2277,7 +2309,6 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
} }
} else { } else {
cmd = item[0]; cmd = item[0];
rargs = nsvg__getArgsPerElement(cmd);
if (cmd == 'M' || cmd == 'm') { if (cmd == 'M' || cmd == 'm') {
// Commit path. // Commit path.
if (p->npts > 0) if (p->npts > 0)
@ -2286,7 +2317,11 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
nsvg__resetPath(p); nsvg__resetPath(p);
closedFlag = 0; closedFlag = 0;
nargs = 0; nargs = 0;
} else if (cmd == 'Z' || cmd == 'z') { } else if (initPoint == 0) {
// Do not allow other commands until initial point has been set (moveTo called once).
cmd = '\0';
}
if (cmd == 'Z' || cmd == 'z') {
closedFlag = 1; closedFlag = 1;
// Commit path. // Commit path.
if (p->npts > 0) { if (p->npts > 0) {
@ -2302,6 +2337,12 @@ static void nsvg__parsePath(NSVGparser* p, const char** attr)
closedFlag = 0; closedFlag = 0;
nargs = 0; nargs = 0;
} }
rargs = nsvg__getArgsPerElement(cmd);
if (rargs == -1) {
// Command not recognized
cmd = '\0';
rargs = 0;
}
} }
} }
// Commit path. // Commit path.