Safely parse preg_match_all matches

bsweeney · bsweeney · commit 80b2f1595876 · 2022-08-29T08:15:21.000-04:00
fixes #54
diff --git a/src/Svg/Tag/AbstractTag.php b/src/Svg/Tag/AbstractTag.php
@@ -135,21 +135,19 @@ protected function applyTransform($attributes)
 
             $transform = $attributes["transform"];
 
-            $match = array();
+            $matches = array();
             preg_match_all(
-                '/(matrix|translate|scale|rotate|skewX|skewY)\((.*?)\)/is',
+                '/(matrix|translate|scale|rotate|skew|skewX|skewY)\((.*?)\)/is',
                 $transform,
-                $match,
+                $matches,
                 PREG_SET_ORDER
             );
 
             $transformations = array();
-            if (count($match[0])) {
-                foreach ($match as $_match) {
-                    $arguments = preg_split('/[ ,]+/', $_match[2]);
-                    array_unshift($arguments, $_match[1]);
-                    $transformations[] = $arguments;
-                }
+            foreach ($matches as $match) {
+                $arguments = preg_split('/[ ,]+/', $match[2]);
+                array_unshift($arguments, $match[1]);
+                $transformations[] = $arguments;
             }
 
             foreach ($transformations as $t) {
diff --git a/src/Svg/Tag/Path.php b/src/Svg/Tag/Path.php
@@ -61,7 +61,7 @@ public static function parse(string $commandSequence): array
                 $commandLower = strtolower($c[1]);
 
                 // arcs have special flags that apparently don't require spaces.
-                if ($commandLower === 'a' && preg_match_all(static::ARC_REGEXP, $c[2], $matches)) {
+                if ($commandLower === 'a' && preg_match_all(static::ARC_REGEXP, $c[2], $matches, PREG_PATTERN_ORDER)) {
                     $numberOfMatches = count($matches[0]);
                     for ($k = 0; $k < $numberOfMatches; ++$k) {
                         $path[] = [
diff --git a/src/Svg/Tag/Polygon.php b/src/Svg/Tag/Polygon.php
@@ -13,16 +13,25 @@ class Polygon extends Shape
     public function start($attributes)
     {
         $tmp = array();
-        preg_match_all('/([\-]*[0-9\.]+)/', $attributes['points'], $tmp);
+        preg_match_all('/([\-]*[0-9\.]+)/', $attributes['points'], $tmp, PREG_PATTERN_ORDER);
 
         $points = $tmp[0];
         $count = count($points);
 
+        if ($count < 4) {
+            // nothing to draw
+            return;
+        }
+
         $surface = $this->document->getSurface();
         list($x, $y) = $points;
         $surface->moveTo($x, $y);
 
         for ($i = 2; $i < $count; $i += 2) {
+            if ($i + 1 === $count) {
+                // invalid trailing point
+                continue;
+            }
             $x = $points[$i];
             $y = $points[$i + 1];
             $surface->lineTo($x, $y);
diff --git a/src/Svg/Tag/Polyline.php b/src/Svg/Tag/Polyline.php
@@ -13,16 +13,25 @@ class Polyline extends Shape
     public function start($attributes)
     {
         $tmp = array();
-        preg_match_all('/([\-]*[0-9\.]+)/', $attributes['points'], $tmp);
+        preg_match_all('/([\-]*[0-9\.]+)/', $attributes['points'], $tmp, PREG_PATTERN_ORDER);
 
         $points = $tmp[0];
         $count = count($points);
 
+        if ($count < 4) {
+            // nothing to draw
+            return;
+        }
+
         $surface = $this->document->getSurface();
         list($x, $y) = $points;
         $surface->moveTo($x, $y);
 
         for ($i = 2; $i < $count; $i += 2) {
+            if ($i + 1 === $count) {
+                // invalid trailing point
+                continue;
+            }
             $x = $points[$i];
             $y = $points[$i + 1];
             $surface->lineTo($x, $y);
