resvg icon indicating copy to clipboard operation
resvg copied to clipboard

Published 20 hours ago verified publisher icon RazrFalcon

Library susceptible to billion laugh style attacks

Open unshorn opened this issue 4 years ago • 5 comments

When I try to open a malicious SVG that is created using nested references it hangs the application. The sample test case is at https://unshorn.github.io/foo.svg Other samples are: https://unshorn.github.io/nested-pattern-crash.svg https://unshorn.github.io/deep.svg

unshorn avatar Nov 06 '19 01:11 unshorn

Yes, xlink:href nesting is not limited.

RazrFalcon avatar Nov 06 '19 07:11 RazrFalcon

I'm looking into this right now and looks like deep.svg is malformed. </g> at 5000019 should be removed.

RazrFalcon avatar Jun 13 '21 14:06 RazrFalcon

foo.svg and deep.svg are fixed. nested-pattern-crash.svg is more complicated.

For some reason, Chrome and Batik are able to render nested-pattern-crash.svg just fine. Firefox and Inkscape freezing. librsvg returns an error.

RazrFalcon avatar Jun 13 '21 15:06 RazrFalcon

Looks like the files have been deleted, so can't reproduce it. :(

LaurenzV avatar Feb 20 '24 09:02 LaurenzV

I don't have them either. I will try to reproduce nested-pattern-crash.svg. Afaik it had a lot of nested patters (a pattern with a pattern with a pattern and so on), but in case of resvg it just took forever to render. Not an actual endless loop.

RazrFalcon avatar Feb 20 '24 15:02 RazrFalcon