[librsvg/librsvg-2.44: 2/7] Rename num_elements_rendered_through_use to num_elements_acquired

From: Federico Mena Quintero <federico src gnome org>
To: commits-list gnome org
Cc:
Subject: [librsvg/librsvg-2.44: 2/7] Rename num_elements_rendered_through_use to num_elements_acquired
Date: Thu, 27 Feb 2020 01:12:39 +0000 (UTC)

commit 1b63d474943e8f1fe77757ee87f2d39502e32fda
Author: Federico Mena Quintero <federico gnome org>
Date:   Thu Oct 10 15:26:14 2019 -0500

    Rename num_elements_rendered_through_use to num_elements_acquired
    
    We'll change this to be the number of elements ever acquired through
    DrawingCtx.acquire_node(), instead of just those being instanced
    through the <use> element.  It turns out one can create a pathological
    SVG file that causes an exponential number of elements to be rendered,
    without using <use>.

 rsvg_internals/src/drawing_ctx.rs | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)
---
diff --git a/rsvg_internals/src/drawing_ctx.rs b/rsvg_internals/src/drawing_ctx.rs
index c9c2d169..0d0e401b 100644
--- a/rsvg_internals/src/drawing_ctx.rs
+++ b/rsvg_internals/src/drawing_ctx.rs
@@ -101,17 +101,9 @@ pub struct DrawingCtx<'a> {
     dpi_x: f64,
     dpi_y: f64,
 
-    /// This is a mitigation for the security-related bug
-    /// https://gitlab.gnome.org/GNOME/librsvg/issues/323 - imagine
-    /// the XML [billion laughs attack], but done by creating deeply
-    /// nested groups of `<use>` elements.  The first one references
-    /// the second one ten times, the second one references the third
-    /// one ten times, and so on.  In the file given, this causes
-    /// 10^17 objects to be rendered.  While this does not exhaust
-    /// memory, it would take a really long time.
-    ///
-    /// [billion laughs attack]: https://bitbucket.org/tiran/defusedxml
-    num_elements_rendered_through_use: usize,
+    // This is a mitigation for SVG files that try to instance a huge number of
+    // elements via <use>, recursive patterns, etc.  See limits.rs for details.
+    num_elements_acquired: usize,
 
     cr_stack: Vec<cairo::Context>,
     cr: cairo::Context,
@@ -170,7 +162,7 @@ impl<'a> DrawingCtx<'a> {
             rect,
             dpi_x,
             dpi_y,
-            num_elements_rendered_through_use: 0,
+            num_elements_acquired: 0,
             cr_stack: Vec::new(),
             cr: cr.clone(),
             initial_cr: cr.clone(),
@@ -860,11 +852,11 @@ impl<'a> DrawingCtx<'a> {
     }
 
     pub fn increase_num_elements_rendered_through_use(&mut self, n: usize) {
-        self.num_elements_rendered_through_use += n;
+        self.num_elements_acquired += n;
     }
 
     fn check_limits(&self) -> Result<(), RenderingError> {
-        if self.num_elements_rendered_through_use > limits::MAX_REFERENCED_ELEMENTS {
+        if self.num_elements_acquired > limits::MAX_REFERENCED_ELEMENTS {
             Err(RenderingError::InstancingLimit)
         } else {
             Ok(())

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]