From a32373195b4b0323fa252f393451f21114c7f92b Mon Sep 17 00:00:00 2001
From: JunsuChoi <jsuya.choi@samsung.com>
Date: Tue, 11 Jan 2022 00:41:34 +0000
Subject: evas_vg_load_svg: Prevent array overflow

Summary: sz must be less than 20 to append 'carriage return'

Test Plan:
Example SVG
```
<?xml version="1.0" encoding="UTF-8"?>
<svg><aaaaaaaaaaaaaaaaaaaa > </aaaaaaaaaaaaaaaaaaaa></svg>
```

@fix

Reviewers: Hermet, raster, kimcinoo

Reviewed By: raster

Subscribers: cedric, #committers, #reviewers

Tags: #efl

Differential Revision: https://phab.enlightenment.org/D12313
---
 src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c b/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c
index 1d93741ba3..465b499505 100644
--- a/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c
+++ b/src/modules/evas/vg_loaders/svg/evas_vg_load_svg.c
@@ -2279,7 +2279,7 @@ _evas_svg_loader_xml_open_parser(Evas_SVG_Loader *loader,
         attrs_length = length - sz;
         while ((sz > 0) && (isspace(content[sz - 1])))
           sz--;
-        if ((unsigned int)sz > sizeof(tag_name)) return;
+        if ((unsigned int)sz >= sizeof(tag_name)) return;
         strncpy(tag_name, content, sz);
         tag_name[sz] = '\0';
      }
-- 
cgit v1.2.1