[librsvg/librsvg-2.44: 5/7] Limit the number of loaded elements

[Federico Mena Quintero <federico src gnome org>]

commit 5edea8ca9fbecbd6c36f7fd28894e49f356d8b78
Author: Federico Mena Quintero <federico gnome org>
Date:   Wed Feb 26 19:06:56 2020 -0600

    Limit the number of loaded elements

 librsvg/rsvg-load.c                              |  20 ++++++++++++++++++++
 tests/errors.c                                   |   4 ++++
 tests/fixtures/errors/515-too-many-elements.svgz | Bin 0 -> 40811 bytes
 3 files changed, 24 insertions(+)
---
diff --git a/librsvg/rsvg-load.c b/librsvg/rsvg-load.c
index 44e1f670..ea1e2bfb 100644
--- a/librsvg/rsvg-load.c
+++ b/librsvg/rsvg-load.c
@@ -66,6 +66,7 @@ struct RsvgLoad {
      */
     RsvgSaxHandler *handler;
     int handler_nest;
+    gsize num_loaded_elements;
 
     GHashTable *entities;       /* g_malloc'd string -> xmlEntityPtr */
 
@@ -608,12 +609,31 @@ start_xinclude (RsvgLoad *load, RsvgPropertyBag * atts)
 
 /* end xinclude */
 
+static gboolean
+loading_limits_exceeded (RsvgLoad *load)
+{
+    /* This is a mitigation for SVG files which create millions of elements
+     * in an attempt to exhaust memory.  We don't allow loading more than
+     * this number of elements during the initial streaming load process.
+    */
+    return load->num_loaded_elements > 200000;
+}
+
 static void
 sax_start_element_cb (void *data, const xmlChar * name, const xmlChar ** atts)
 {
     RsvgPropertyBag bag;
     RsvgLoad *load = data;
 
+    if (loading_limits_exceeded (load)) {
+        g_set_error (load->error, RSVG_ERROR, 0, "instancing limit");
+
+        xmlStopParser (load->ctxt);
+        return;
+    }
+
+    load->num_loaded_elements += 1;
+
     bag = rsvg_property_bag_new ((const char **) atts);
 
     if (load->handler) {
diff --git a/tests/errors.c b/tests/errors.c
index 85663004..52795680 100644
--- a/tests/errors.c
+++ b/tests/errors.c
@@ -96,6 +96,10 @@ main (int argc, char **argv)
                                test_instancing_limit,
                                NULL);
 
+    g_test_add_data_func_full ("/errors/515-too-many-elements.svgz",
+                               "515-too-many-elements.svgz",
+                               test_loading_error,
+                               NULL);
 
     return g_test_run ();
 }
diff --git a/tests/fixtures/errors/515-too-many-elements.svgz 
b/tests/fixtures/errors/515-too-many-elements.svgz
new file mode 100644
index 00000000..a7f7cf67
Binary files /dev/null and b/tests/fixtures/errors/515-too-many-elements.svgz differ