bug 3: another stack buffer overflow bug which may lead to RCE

ASAN: https://pan.baidu.com/s/1PkaKUDN5p08FEU0ANflUQg
POC: https://pan.baidu.com/s/1d6txGGMKINmIWWLSVjwORw
EXP: https://pan.baidu.com/s/1S4uNtdBtGmTK5p47BGI8Mg password:i5n2

Description:
A sscanf operation without the check of string length, which may lead to stack over flow. When this lib is used to parse svg by a browser, RCE is possible.

void svgStringToLength( const char *szValue, svgLength *ptLength )
{
 char szUnit[ 8 ] = "";

 if( szValue==NULL || ptLength==NULL )
  return;

 memset( ptLength, 0, sizeof( *ptLength ) );
 sscanf( szValue, "%f%s", &ptLength->fValue, szUnit );

 SVG_DEBUG_PRINTF( "Value %#.4f\n", ptLength->fValue );

 ptLength->tUnit = SVG_LENGTH_UNIT_NONE;
 if( szUnit[ 0 ]=='\0' )
  return;

 if( strcmp( szUnit, "em" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_EM;
 else if( strcmp( szUnit, "ex" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_EX;
 else if( strcmp( szUnit, "in" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_IN;
 else if( strcmp( szUnit, "cm" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_CM;
 else if( strcmp( szUnit, "mm" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_MM;
 else if( strcmp( szUnit, "pt" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_PT;
 else if( strcmp( szUnit, "pc" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_PC;
 else if( strcmp( szUnit, "%" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_PERCENT;
 else if( strcmp( szUnit, "px" )==0 )
  ptLength->tUnit = SVG_LENGTH_UNIT_vfprintf+1524PX;
}

sscanf( szValue, "%f%s", &ptLength->fValue, szUnit );

This call of function doesn't check the string in szValue, which can lead to stack overflow!

debug image: https://pan.baidu.com/s/10dvIlFtXydbwb0egxeXXGg

affect: sources/svg_types.c