Merge pull request #1787 from lovell/svg-loader-skip-control-chars

Ensure SVG loader skips input with chars outside x09-x7F range
This commit is contained in:
John Cupitt 2020-08-21 11:37:10 +01:00 committed by GitHub
commit 7a8e891632
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 9 additions and 3 deletions

View File

@ -211,7 +211,7 @@ vips_foreign_load_svg_is_a( const void *buf, size_t len )
* before the <svg line.
*
* Simple rules:
* - first 24 chars are plain ascii
* - first 24 chars are plain ascii (x09-x7F)
* - first SVG_HEADER_SIZE chars contain "<svg", upper or lower case.
*
* We could rsvg_handle_new_from_data() on the buffer, but that can be
@ -220,7 +220,7 @@ vips_foreign_load_svg_is_a( const void *buf, size_t len )
if( len < 24 )
return( 0 );
for( i = 0; i < 24; i++ )
if( !isascii( str[i] ) )
if( !isascii( str[i] ) || str[i] < 9 )
return( FALSE );
for( i = 0; i < SVG_HEADER_SIZE && i < len - 5; i++ )
if( g_ascii_strncasecmp( str + i, "<svg", 4 ) == 0 )

View File

@ -21,6 +21,7 @@ OME_FILE = os.path.join(IMAGES, "multi-channel-z-series.ome.tif")
ANALYZE_FILE = os.path.join(IMAGES, "t00740_tr1_segm.hdr")
GIF_FILE = os.path.join(IMAGES, "cramps.gif")
WEBP_FILE = os.path.join(IMAGES, "1.webp")
WEBP_LOOKS_LIKE_SVG_FILE = os.path.join(IMAGES, "looks-like-svg.webp")
EXR_FILE = os.path.join(IMAGES, "sample.exr")
FITS_FILE = os.path.join(IMAGES, "WFPC2u5780205r_c0fx.fits")
OPENSLIDE_FILE = os.path.join(IMAGES, "CMU-1-Small-Region.svs")

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.5 KiB

View File

@ -17,7 +17,7 @@ from helpers import \
GIF_ANIM_DISPOSE_PREVIOUS_FILE, \
GIF_ANIM_DISPOSE_PREVIOUS_EXPECTED_PNG_FILE, \
temp_filename, assert_almost_equal_objects, have, skip_if_no, \
TIF1_FILE, TIF2_FILE, TIF4_FILE
TIF1_FILE, TIF2_FILE, TIF4_FILE, WEBP_LOOKS_LIKE_SVG_FILE
class TestForeign:
@ -676,6 +676,11 @@ class TestForeign:
assert x1.get("page-height") == x2.get("page-height")
assert x1.get("gif-loop") == x2.get("gif-loop")
# WebP image that happens to contain the string "<svg"
if have("svgload"):
x = pyvips.Image.new_from_file(WEBP_LOOKS_LIKE_SVG_FILE)
assert x.get("vips-loader") == "webpload"
@skip_if_no("analyzeload")
def test_analyzeload(self):
def analyze_valid(im):