librsvg 2.62.2

A library to render SVG images to Cairo surfaces. GNOME uses this to render SVG icons. Outside of GNOME, other desktop environments use it for similar purposes. Wikimedia uses it for Wikipedia's SVG diagrams.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

//! Processing limits to mitigate malicious SVGs.

/// Maximum number of times that elements can be referenced through URL fragments.
///
/// This is a mitigation for the security-related bugs:
/// <https://gitlab.gnome.org/GNOME/librsvg/issues/323>
/// <https://gitlab.gnome.org/GNOME/librsvg/issues/515>
///
/// Imagine the XML [billion laughs attack], but done in SVG's terms:
///
/// - #323 above creates deeply nested groups of `<use>` elements.
///   The first one references the second one ten times, the second one
///   references the third one ten times, and so on.  In the file given,
///   this causes 10^17 objects to be rendered.  While this does not
///   exhaust memory, it would take a really long time.
///
/// - #515 has deeply nested references of `<pattern>` elements.  Each
///   object inside each pattern has an attribute
///   fill="url(#next_pattern)", so the number of final rendered objects
///   grows exponentially.
///
/// We deal with both cases by placing a limit on how many references
/// will be resolved during the SVG rendering process, that is,
/// how many `url(#foo)` will be resolved.
///
/// [billion laughs attack]: https://bitbucket.org/tiran/defusedxml
pub const MAX_REFERENCED_ELEMENTS: usize = 500_000;

/// Maximum number of elements loadable per document.
///
/// This is a mitigation for SVG files which create millions of elements
/// in an attempt to exhaust memory.  We don't allow loading more than
/// this number of elements during the initial streaming load process.
pub const MAX_LOADED_ELEMENTS: usize = 1_000_000;

/// Maximum number of attributes per XML element.
///
/// A malicious file could have `<foo attr1="blah" attr2="blah" attr3="blah"/>`,
/// etc.  Librsvg puts this limit on how many attributes an element can have.
pub const MAX_LOADED_ATTRIBUTES: usize = u16::MAX as usize;

/// Maximum level of nesting for XInclude (XML Include) files.
///
/// See <https://gitlab.gnome.org/GNOME/librsvg/-/issues/942>.  With
/// the use of XML like `<xi:include parse="xml" href="foo.xml"/>`, an
/// SVG document can recursively include other XML files.  This value
/// defines a maximum level of nesting for XInclude, to prevent cases
/// where the base document is included within itself, or when two
/// documents recursively include each other.
pub const MAX_XINCLUDE_DEPTH: usize = 20;

/// Maximum level of nesting for layers during rendering.
///
/// This is a mitigation for malicious SVGs which try to have layers that are nested
/// extremely deep, as this could cause stack exhaustion.
pub const MAX_LAYER_NESTING_DEPTH: u16 = 50;