From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001
From: Benjamin Otte <otte@redhat.com>
Date: Wed, 7 Oct 2015 05:31:08 +0200
Subject: [PATCH] state: Store mask as reference

Instead of immediately looking up the mask, store the reference and look
it up on use.

Upstream-status: Backport

supporting patch
https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2

CVE: CVE-2015-7558
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 rsvg-cairo-draw.c |  6 +++++-
 rsvg-mask.c       | 17 -----------------
 rsvg-mask.h       |  2 --
 rsvg-styles.c     | 12 ++++++++----
 rsvg-styles.h     |  2 +-
 5 files changed, 14 insertions(+), 25 deletions(-)

Index: librsvg-2.40.10/rsvg-cairo-draw.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
+++ librsvg-2.40.10/rsvg-cairo-draw.c
@@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
     cairo_set_operator (render->cr, state->comp_op);
 
     if (state->mask) {
-        rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox);
+        RsvgNode *mask;
+
+        mask = rsvg_defs_lookup (ctx->defs, state->mask);
+        if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
+          rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
     } else if (state->opacity != 0xFF)
         cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
     else
Index: librsvg-2.40.10/rsvg-mask.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-mask.c
+++ librsvg-2.40.10/rsvg-mask.c
@@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str)
 }
 
 RsvgNode *
-rsvg_mask_parse (const RsvgDefs * defs, const char *str)
-{
-    char *name;
-
-    name = rsvg_get_url_string (str);
-    if (name) {
-        RsvgNode *val;
-        val = rsvg_defs_lookup (defs, name);
-        g_free (name);
-
-        if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK)
-            return val;
-    }
-    return NULL;
-}
-
-RsvgNode *
 rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
 {
     char *name;
Index: librsvg-2.40.10/rsvg-mask.h
===================================================================
--- librsvg-2.40.10.orig/rsvg-mask.h
+++ librsvg-2.40.10/rsvg-mask.h
@@ -48,8 +48,6 @@ struct _RsvgMask {
 
 G_GNUC_INTERNAL
 RsvgNode *rsvg_new_mask	    (void);
-G_GNUC_INTERNAL
-RsvgNode *rsvg_mask_parse   (const RsvgDefs * defs, const char *str);
 
 typedef struct _RsvgClipPath RsvgClipPath;
 
Index: librsvg-2.40.10/rsvg-styles.c
===================================================================
--- librsvg-2.40.10.orig/rsvg-styles.c
+++ librsvg-2.40.10/rsvg-styles.c
@@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const
 
     *dst = *src;
     dst->parent = parent;
+    dst->mask = g_strdup (src->mask);
     dst->font_family = g_strdup (src->font_family);
     dst->lang = g_strdup (src->lang);
     rsvg_paint_server_ref (dst->fill);
@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
 
     if (inherituninheritables) {
         dst->clip_path_ref = src->clip_path_ref;
-        dst->mask = src->mask;
+        g_free (dst->mask);
+        dst->mask = g_strdup (src->mask);
         dst->enable_background = src->enable_background;
         dst->adobe_blend = src->adobe_blend;
         dst->opacity = src->opacity;
@@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con
 void
 rsvg_state_finalize (RsvgState * state)
 {
+    g_free (state->mask);
     g_free (state->font_family);
     g_free (state->lang);
     rsvg_paint_server_unref (state->fill);
@@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
             state->adobe_blend = 11;
         else
             state->adobe_blend = 0;
-    } else if (g_str_equal (name, "mask"))
-        state->mask = rsvg_mask_parse (ctx->priv->defs, value);
-    else if (g_str_equal (name, "clip-path")) {
+    } else if (g_str_equal (name, "mask")) {
+        g_free (state->mask);
+        state->mask = rsvg_get_url_string (value);
+    } else if (g_str_equal (name, "clip-path")) {
         state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
     } else if (g_str_equal (name, "overflow")) {
         if (!g_str_equal (value, "inherit")) {
Index: librsvg-2.40.10/rsvg-styles.h
===================================================================
--- librsvg-2.40.10.orig/rsvg-styles.h
+++ librsvg-2.40.10/rsvg-styles.h
@@ -80,7 +80,7 @@ struct _RsvgState {
     cairo_matrix_t personal_affine;
 
     RsvgFilter *filter;
-    void *mask;
+    char *mask;
     void *clip_path_ref;
     guint8 adobe_blend;         /* 0..11 */
     guint8 opacity;             /* 0..255 */