From e06eef11c974e38e12c808f95b3987fc41da3f02 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Wed, 12 Oct 2016 10:56:53 +0100
Subject: Bug 697012: Avoid overflow in xps_parse_real_num.

---
 source/xps/xps-glyphs.c | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

(limited to 'source/xps')

diff --git a/source/xps/xps-glyphs.c b/source/xps/xps-glyphs.c
index 82daf768..dc414f57 100644
--- a/source/xps/xps-glyphs.c
+++ b/source/xps/xps-glyphs.c
@@ -298,21 +298,13 @@ static inline int is_real_num_char(int c)
 static char *
 xps_parse_real_num(char *s, float *number, int *override)
 {
-	char buf[64];
-	char *p = buf;
-	while (is_real_num_char(*s))
-		*p++ = *s++;
-	*p = 0;
-	if (buf[0])
-	{
-		*override = 1;
-		*number = fz_atof(buf);
-	}
-	else
-	{
-		*override = 0;
-	}
-	return s;
+	char *tail;
+	float v;
+	v = fz_strtof(s, &tail);
+	*override = tail != s;
+	if (*override)
+		*number = v;
+	return tail;
 }
 
 static char *
-- 
cgit v1.2.3