diff options
| author | Thomas Holder <thomas@thomas-holder.de> | 2019-10-27 20:06:53 +0000 |
|---|---|---|
| committer | Thomas Holder <thomas@thomas-holder.de> | 2019-10-27 20:06:53 +0000 |
| commit | d7d54a937d857f3ac7ea826dbe16be85d31e49cf (patch) | |
| tree | d486f5914b8136c83566dbb87b389e1fb7720b14 /src/ui/tool/path-manipulator.cpp | |
| parent | fix merging "opacity" and "stop-opacity" (diff) | |
| download | inkscape-d7d54a937d857f3ac7ea826dbe16be85d31e49cf.tar.gz inkscape-d7d54a937d857f3ac7ea826dbe16be85d31e49cf.zip | |
fix heap-buffer-overflow in node tool
Observed with example file from
https://gitlab.com/inkscape/inkscape/merge_requests/982
Diffstat (limited to 'src/ui/tool/path-manipulator.cpp')
| -rw-r--r-- | src/ui/tool/path-manipulator.cpp | 16 |
1 files changed, 4 insertions, 12 deletions
diff --git a/src/ui/tool/path-manipulator.cpp b/src/ui/tool/path-manipulator.cpp index 82a8f5ecd..c89473db2 100644 --- a/src/ui/tool/path-manipulator.cpp +++ b/src/ui/tool/path-manipulator.cpp @@ -1208,28 +1208,20 @@ void PathManipulator::_createControlPointsFromGeometry() //XML Tree being used here directly while it shouldn't be. gchar const *nts_raw = _path ? _path->getRepr()->attribute(_nodetypesKey().data()) : nullptr; - std::string nodetype_string = nts_raw ? nts_raw : ""; /* Calculate the needed length of the nodetype string. * For closed paths, the entry is duplicated for the starting node, * so we can just use the count of segments including the closing one * to include the extra end node. */ - std::string::size_type nodetype_len = 0; - for (Geom::PathVector::const_iterator i = pathv.begin(); i != pathv.end(); ++i) { - if (i->empty()) continue; - nodetype_len += i->size_closed(); - } /* pad the string to required length with a bogus value. * 'b' and any other letter not recognized by the parser causes the best fit to be set * as the node type */ - if (nodetype_len > nodetype_string.size()) { - nodetype_string.append(nodetype_len - nodetype_string.size(), 'b'); - } - std::string::iterator tsi = nodetype_string.begin(); + auto const *tsi = nts_raw ? nts_raw : ""; for (auto & _subpath : _subpaths) { for (auto & j : *_subpath) { - j.setType(Node::parse_nodetype(*tsi++), false); + char nodetype = (*tsi) ? (*tsi++) : 'b'; + j.setType(Node::parse_nodetype(nodetype), false); } - if (_subpath->closed()) { + if (_subpath->closed() && *tsi) { // STUPIDITY ALERT: it seems we need to use the duplicate type symbol instead of // the first one to remain backward compatible. _subpath->begin()->setType(Node::parse_nodetype(*tsi++), false); |