Bug 697012: Fix buffer overflow in gxps.

Port back same fix already applied to muxps.
author: Robin Watts <robin.watts@artifex.com> 2016-10-12 14:15:50 +0100
committer: Robin Watts <robin.watts@artifex.com> 2016-10-17 11:34:05 +0100
commit: 910f459d535cec757b8e5f541dd39be6fa2fb0c9 (patch)
tree: 41deef3413ba5df953f7c50b275443fbae9dc31c
parent: 9388ecefe9d8659d8434aa78d07a1fa247c8ea4e (diff)
download: ghostpdl-910f459d535cec757b8e5f541dd39be6fa2fb0c9.tar.gz
1 files changed, 8 insertions, 17 deletions
diff --git a/xps/xpsglyphs.c b/xps/xpsglyphs.c
index 1ac28de55..44947028d 100644
--- a/xps/xpsglyphs.c
+++ b/xps/xpsglyphs.c
@@ -17,6 +17,7 @@
 /* XPS interpreter - text drawing support */
 
 #include "ghostxps.h"
+#include <stdlib.h>
 
 #define XPS_TEXT_BUFFER_SIZE 300
 
@@ -368,26 +369,16 @@ xps_parse_digits(char *s, int *digit)
     return s;
 }
 
-static inline int is_real_num_char(int c)
-{
-    return (c >= '0' && c <= '9') || c == 'e' || c == 'E' || c == '+' || c == '-' || c == '.';
-}
-
 static char *
 xps_parse_real_num(char *s, float *number, bool *number_parsed)
 {
-    char buf[64];
-    char *p = buf;
-    *number_parsed = false;
-    
-    while (is_real_num_char(*s))
-        *p++ = *s++;
-    *p = 0;
-    if (buf[0]) {
-        *number = atof(buf);
-        *number_parsed = true;
-    }
-    return s;
+    char *tail;
+    float v;
+    v = (float)strtod(s, &tail);
+    *number_parsed = tail != s;
+    if (*number_parsed)
+        *number = v;
+    return tail;
 }
 
 static char *
author	Robin Watts <robin.watts@artifex.com>	2016-10-12 14:15:50 +0100
committer	Robin Watts <robin.watts@artifex.com>	2016-10-17 11:34:05 +0100
commit	910f459d535cec757b8e5f541dd39be6fa2fb0c9 (patch)
tree	41deef3413ba5df953f7c50b275443fbae9dc31c
parent	9388ecefe9d8659d8434aa78d07a1fa247c8ea4e (diff)
download	ghostpdl-910f459d535cec757b8e5f541dd39be6fa2fb0c9.tar.gz