Re: Re: CVE requests: DoS in librsvg parsing SVGs with circular definitions

[Brian May <brian () linuxpenguins xyz>]

Just did a git bisect against the source. Assuming I got this right, the
following commits fixed the issue.

> > They affect the following functions:
>
> > * rsvg_cairo_pop_discrete_layer - rsvg_cairo_pop_render_stack -
> > rsvg_cairo_generate_mask: reproducible using circular-1.svg
>
> Use CVE-2016-4347.

Fixed in:

commit a51919f7e1ca9c535390a746fbf6e28c8402dc61
Author: Benjamin Otte <otte () redhat com>
Date:   Wed Oct 7 08:45:37 2015 +0200

    rsvg: Add rsvg_acquire_node()
    
    This function does proper recursion checks when looking up resources
    from URLs and thereby helps avoiding infinite loops when cyclic
    references span multiple types of elements.


> > * _rsvg_css_normalize_font_size: reproducible using circular-2.svg
>
> Use CVE-2016-4348.

Fixed in:

commit d1c9191949747f6dcfd207831d15dd4ba00e31f2
Author: Benjamin Otte <otte () redhat com>
Date:   Wed Oct 7 05:31:08 2015 +0200

    state: Store mask as reference
    
    Instead of immediately looking up the mask, store the reference and look
    it up on use.


This fix is two commits before the other commit.
-- 
Brian May <brian () linuxpenguins xyz>
https://linuxpenguins.xyz/brian/