Fix potential buffer overflow (bug#50767)

* src/image.c (svg_load_image): Check how many bytes were actually
written to the buffer.  Don't check xmalloc return value as xmalloc
doesn't return if it fails.

src/image.c

@@ -9996,10 +9996,16 @@ svg_load_image (struct frame *f, struct image *img, char *contents,
   if (!STRINGP (lcss))
     {
       /* Generate the CSS for the SVG image.  */
-      const char *css_spec = "svg{font-family:\"%s\";font-size:%4dpx}";
+      /* FIXME: The below calculations leave enough space for a font
-      int css_len = strlen (css_spec) + strlen (img->face_font_family);
+	 size up to 9999, if it overflows we just throw an error but
+	 should probably increase the buffer size.  */
+      const char *css_spec = "svg{font-family:\"%s\";font-size:%dpx}";
+      int css_len = strlen (css_spec) + strlen (img->face_font_family) + 1;
       css = xmalloc (css_len);
-      snprintf (css, css_len, css_spec, img->face_font_family, img->face_font_size);
+      if (css_len <= snprintf (css, css_len, css_spec,
+			       img->face_font_family, img->face_font_size))
+	goto rsvg_error;
+
       rsvg_handle_set_stylesheet (rsvg_handle, (guint8 *)css, strlen (css), NULL);
     }
   else
@@ -10157,12 +10163,11 @@ svg_load_image (struct frame *f, struct image *img, char *contents,
 
     wrapped_contents = xmalloc (buffer_size);
 
-    if (!wrapped_contents
+    if (buffer_size <= snprintf (wrapped_contents, buffer_size, wrapper,
-        || buffer_size <= snprintf (wrapped_contents, buffer_size, wrapper,
+				 foreground & 0xFFFFFF, width, height,
-                                    foreground & 0xFFFFFF, width, height,
+				 viewbox_width, viewbox_height,
-                                    viewbox_width, viewbox_height,
+				 background & 0xFFFFFF,
-                                    background & 0xFFFFFF,
+				 SSDATA (encoded_contents)))
-                                    SSDATA (encoded_contents)))
       goto rsvg_error;
 
     wrapped_size = strlen (wrapped_contents);