[librsvg/librsvg-2.44] (#352): Parse kernelMatrix as an unbounded list

[Federico Mena Quintero <federico src gnome org>]

commit fd1b0e8f71b06505bc3230e26da3abc26453c3e3
Author: Ivan Molodetskikh <yalterz gmail com>
Date:   Tue Oct 2 12:52:49 2018 +0300

    (#352): Parse kernelMatrix as an unbounded list

 rsvg_internals/src/filters/convolve_matrix.rs      | 39 +++++++++++++---------
 .../352-feConvolveMatrix-large-allocation.svg      |  1 +
 2 files changed, 25 insertions(+), 15 deletions(-)
---
diff --git a/rsvg_internals/src/filters/convolve_matrix.rs b/rsvg_internals/src/filters/convolve_matrix.rs
index d99f13ce..d04acac1 100644
--- a/rsvg_internals/src/filters/convolve_matrix.rs
+++ b/rsvg_internals/src/filters/convolve_matrix.rs
@@ -174,24 +174,33 @@ impl NodeTrait for ConvolveMatrix {
             self.kernel_matrix.replace(Some({
                 let number_of_elements = self.order.get().0 as usize * self.order.get().1 as usize;
 
+                // #352: Parse as an unbounded list rather than exact length to prevent aborts due
+                //       to huge allocation attempts by underlying Vec::with_capacity().
+                let elements = parsers::number_list_from_str(value, ListLength::Unbounded)
+                    .map_err(|err| {
+                        NodeError::parse_error(
+                            attr,
+                            match err {
+                                NumberListError::IncorrectNumberOfElements => unreachable!(),
+                                NumberListError::Parse(err) => err,
+                            },
+                        )
+                    })?;
+
+                if elements.len() != number_of_elements {
+                    return Err(NodeError::value_error(
+                        attr,
+                        &format!(
+                            "incorrect number of elements: expected {}",
+                            number_of_elements
+                        ),
+                    ));
+                }
+
                 DMatrix::from_data(MatrixVec::new(
                     Dynamic::new(self.order.get().1 as usize),
                     Dynamic::new(self.order.get().0 as usize),
-                    parsers::number_list_from_str(value, ListLength::Exact(number_of_elements))
-                        .map_err(|err| {
-                            NodeError::parse_error(
-                                attr,
-                                match err {
-                                    NumberListError::IncorrectNumberOfElements => {
-                                        ParseError::new(format!(
-                                            "incorrect number of elements: expected {}",
-                                            number_of_elements
-                                        ))
-                                    }
-                                    NumberListError::Parse(err) => err,
-                                },
-                            )
-                        })?,
+                    elements,
                 ))
             }));
         }
diff --git a/tests/fixtures/crash/352-feConvolveMatrix-large-allocation.svg 
b/tests/fixtures/crash/352-feConvolveMatrix-large-allocation.svg
new file mode 100644
index 00000000..e696f663
--- /dev/null
+++ b/tests/fixtures/crash/352-feConvolveMatrix-large-allocation.svg
@@ -0,0 +1 @@
+<feConvolveMatrix order="50000" kernelMatrix=""/>