[librsvg/librsvg-2.40: 8/10] Limit the number of loaded elements

[Federico Mena Quintero <federico src gnome org>]

commit 668a0ef202f54cd549116d48f1c92f8e39b0a50b
Author: Federico Mena Quintero <federico gnome org>
Date:   Wed Feb 26 11:39:43 2020 -0600

    Limit the number of loaded elements
    
    To avoid unbounded memory consumption from malicious files.

 rsvg-base.c    | 24 ++++++++++++++++++++++++
 rsvg-private.h |  1 +
 tests/errors.c |  4 +---
 3 files changed, 26 insertions(+), 3 deletions(-)
---
diff --git a/rsvg-base.c b/rsvg-base.c
index da443f64..756f149a 100644
--- a/rsvg-base.c
+++ b/rsvg-base.c
@@ -705,12 +705,36 @@ rsvg_start_xinclude (RsvgHandle * ctx, RsvgPropertyBag * atts)
 
 /* end xinclude */
 
+static gboolean
+loading_limits_exceeded (RsvgHandle *handle)
+{
+    /* This is a mitigation for SVG files which create millions of elements
+     * in an attempt to exhaust memory.  We don't allow loading more than
+     * this number of elements during the initial streaming load process.
+     */
+    return handle->priv->num_loaded_elements > 200000;
+}
+
 static void
 rsvg_start_element (void *data, const xmlChar * name, const xmlChar ** atts)
 {
     RsvgPropertyBag *bag;
     RsvgHandle *ctx = (RsvgHandle *) data;
 
+    /* In a different way from librsvg 2.42, we do the following check here, not
+     * in rsvg_standard_element_start() as it is done there.  This is because
+     * librsvg 2.40 still creates nodes for <title> and <metadata> elements, and
+     * we'd like to prevent unbounded memory consuption for those elements, too.
+     */
+    if (loading_limits_exceeded (ctx)) {
+        g_set_error (ctx->priv->error, RSVG_ERROR, 0, "instancing limit");
+
+        xmlStopParser (ctx->priv->ctxt);
+        return;
+    }
+
+    ctx->priv->num_loaded_elements += 1;
+
     bag = rsvg_property_bag_new ((const char **) atts);
 
     if (ctx->priv->handler) {
diff --git a/rsvg-private.h b/rsvg-private.h
index 734c9db4..82157bc2 100644
--- a/rsvg-private.h
+++ b/rsvg-private.h
@@ -167,6 +167,7 @@ struct RsvgHandlePrivate {
      */
     RsvgSaxHandler *handler;
     int handler_nest;
+    gsize num_loaded_elements;
 
     GHashTable *entities;       /* g_malloc'd string -> xmlEntityPtr */
 
diff --git a/tests/errors.c b/tests/errors.c
index 475dd12c..1eaf86c8 100644
--- a/tests/errors.c
+++ b/tests/errors.c
@@ -90,13 +90,11 @@ main (int argc, char **argv)
                                "308-doubly-recursive-use.svg",
                                test_instancing_limit,
                                NULL);
-/*
+
     g_test_add_data_func_full ("/errors/515-too-many-elements.svgz",
                                "515-too-many-elements.svgz",
                                test_loading_error,
                                NULL);
-*/
-
 
     return g_test_run ();
 }