Home Explore Help
Sign In
archive
/
spine-runtimes
mirror of https://github.com/EsotericSoftware/spine-runtimes.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix use after free

the string created by value.substr(index * 2, 2) is deleted after c_str()
but before strtoul executes. The solution is to use a temporary string
to store the value.
Victor Savu 12 years ago
parent
f77459983f
commit
67aa830511
1 changed files with 3 additions and 2 deletions
Split View Show Diff Stats
  1. 3 2
      spine-cpp/src/spine/BaseSkeletonJson.cpp

+ 3 - 2
spine-cpp/src/spine/BaseSkeletonJson.cpp
View File 

@@ -21,8 +21,9 @@ namespace spine {
 
 static float toColor (const string &value, int index) {
 
 	if (value.size() != 8) throw runtime_error("Error parsing color, length must be 8: " + value);
 
 	char *p;
 
-	int color = strtoul(value.substr(index * 2, 2).c_str(), &p, 16);
 
-	if (*p != 0) throw runtime_error("Error parsing color: " + value + ", invalid hex value: " + value.substr(index * 2, 2));
 
+	string tmp = value.substr(index * 2, 2);
 
+	int color = strtoul(tmp.c_str(), &p, 16);
 
+	if (*p != 0) throw runtime_error("Error parsing color: " + value + ", invalid hex value: " + tmp);
 
 	return color / (float)255;
 
 }