!id.is_shorthand panic when parsing malformed SVG
Minimum reproducable example:
fn main() {
let data = br#"<svg><text style="font: inherit"></text><text styyle=""></text></svg>"#;
let bytes = glib::Bytes::from(data);
let stream = gio::MemoryInputStream::from_bytes(&bytes);
let _ = librsvg::Loader::new().read_stream(
&stream,
None::<&gio::File>, // no base file as this document has no references
None::<&gio::Cancellable>, // no cancellable
);
}
This is with a Cargo.toml
of
[package]
name = "scratchVsQjohEq8"
version = "0.1.0"
edition = "2021"
[dependencies]
gio = "0.14.8"
glib = "0.14.8"
librsvg = { git = "https://gitlab.gnome.org/GNOME/librsvg.git", rev = "22ba84bb091ed587e026c11c61a964fae897a549" }
but I can also reproduce this with rsvg-convert version 2.52.0
.
I found this with a simple cargo-fuzz
harness and a corpus from https://github.com/strongcourage/fuzzing-corpus .
The panic is https://gitlab.gnome.org/GNOME/librsvg/-/blob/22ba84bb091ed587e026c11c61a964fae897a549/src/properties.rs#L514
Edited by 5225225