[librsvg] bgo#738050 - Handle the case where a list of coordinate pairs has an odd number of elements

[Federico Mena Quintero <federico src gnome org>]

commit 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df
Author: Federico Mena Quintero <federico gnome org>
Date:   Thu Feb 5 18:08:25 2015 -0600

    bgo#738050 - Handle the case where a list of coordinate pairs has an odd number of elements
    
    Lists of points come in coordinate pairs, but we didn't have any checking for that.
    It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate
    of an x,y pair, that was in fact missing, leading to an out-of-bounds array read.
    
    In that case, we now reuse the last-known y coordinate.
    
    Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050
    
    Signed-off-by: Federico Mena Quintero <federico gnome org>

 rsvg-shapes.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)
---
diff --git a/rsvg-shapes.c b/rsvg-shapes.c
index c13b90c..e4a705d 100644
--- a/rsvg-shapes.c
+++ b/rsvg-shapes.c
@@ -169,10 +169,22 @@ _rsvg_node_poly_build_path (const char *value,
 
     /* "L %f %f " */
     for (i = 2; i < pointlist_len; i += 2) {
+        double p;
+
         g_string_append (d, " L ");
         g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i]));
         g_string_append_c (d, ' ');
-        g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i + 1]));
+
+        /* We expect points to come in coordinate pairs.  But if there is a
+         * missing part of one pair in a corrupt SVG, we'll have an incomplete
+         * list.  In that case, we reuse the last-known Y coordinate.
+         */
+        if (i + 1 < pointlist_len)
+            p = pointlist[i + 1];
+        else
+            p = pointlist[i - 1];
+
+        g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), p));
     }
 
     if (close_path)