From baab43aff280031f03e6dbbd13220716e1ee7bb1 Mon Sep 17 00:00:00 2001
From: JunsuChoi <jsuya.choi@samsung.com>
Date: Mon, 22 Nov 2021 16:09:54 +0900
Subject: [PATCH] tvg_saver TvgBinInterpreter: prevent misaligned memory access

When parsing a binary stored as a char type,
interpreter can access the misaligned memory while accessing it with a pointer.
To prevent that, pass the array copied to memcpy as tvg Object.
---
 src/loaders/tvg/tvgTvgBinInterpreter.cpp | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/loaders/tvg/tvgTvgBinInterpreter.cpp b/src/loaders/tvg/tvgTvgBinInterpreter.cpp
index 383ae89b..b0364b10 100644
--- a/src/loaders/tvg/tvgTvgBinInterpreter.cpp
+++ b/src/loaders/tvg/tvgTvgBinInterpreter.cpp
@@ -248,12 +248,20 @@ static bool _parseShapeStrokeDashPattern(const char *ptr, const char *end, Shape
     uint32_t dashPatternCnt;
     READ_UI32(&dashPatternCnt, ptr);
     ptr += SIZE(uint32_t);
-    const float* dashPattern = (float*) ptr;
-    ptr += SIZE(float) * dashPatternCnt;
+    if (dashPatternCnt > 0) {
+        float* dashPattern = static_cast<float*>(malloc(sizeof(float) * dashPatternCnt));
+        if (!dashPattern) return false;
+        memcpy(dashPattern, ptr, sizeof(float) * dashPatternCnt);
+        ptr += SIZE(float) * dashPatternCnt;
 
-    if (ptr > end) return false;
+        if (ptr > end) {
+            free(dashPattern);
+            return false;
+        }
 
-    shape->stroke(dashPattern, dashPatternCnt);
+        shape->stroke(dashPattern, dashPatternCnt);
+        free(dashPattern);
+    }
     return true;
 }