[vector_graphics_compiler]: Fix Stack Overflow and CPU/Memory DoS on SVGs with circular references or exponential expansions (#11740)

jeffkwoh · web-flow · commit e930ced66e87 · 2026-05-28T15:43:41.000-07:00
### Overview This PR resolves a critical compile-time **Stack Overflow** crash and prevents **CPU/Memory Denial of Service (DoS)** vulnerabilities in the `vector_graphics_compiler` tool caused by circular references and exponential element expansions (such as Billion Laughs / XML Entity Expansion attacks) in SVG assets. During compilation, the recursive AST resolution phase was vulnerable to: 1. **Infinite Loops (Stack Overflow)**: Self-referencing or circular elements (mask-loops, pattern-loops, recursive `<use>` chains, or circular `<use>` inside `<clipPath>` nodes) caused infinite recursion and thread stack exhaustion. 2. **Exponential DAG Expansions (CPU DoS)**: Acyclic Directed Acyclic Graphs (DAGs) referencing lower levels multiple times could bypass standard cycle guards and expand to billions of resolved nodes (e.g. Billion Laughs), locking up CPU and memory. This PR implements dual-layer security defenses: local DFS cycle-guards to cleanly break circular loops, and a strict, cumulative reference expansion limit to prevent resource exhaustion.--- ### Proposed Changes #### 1. Core DFS Cycle-Guards in AST Resolution (`resolver.dart` & `parser.dart`) - Added active ancestor tracking sets (`_activeMasks`, `_activePatterns`, and `_activeDeferred`) using `Set<String>` in `ResolvingVisitor`. - Wrapped recursive resolution steps in `try/finally` blocks to guarantee that IDs are popped from the tracking sets when unwinding the call stack, preventing state leaks. - Added a local cycle-guard set (`activeDeferred`) inside `getClipPath`'s recursive `extractPathsFromNode` helper to break circular `<use>` references inside clip paths. - If a [cycle](https://svgwg.org/svg2-draft/linking.html#:~:text=an%20identified%20resource.-,invalid%20reference,-Any%20of%20the) is detected, resolution immediately aborts for that node and falls back gracefully (rendering the base graphic normally without the broken layer), satisfying W3C SVG 2 [error-handling specifications](https://svgwg.org/svg2-draft/conform.html#ErrorProcessing:~:text=The%20document%20rendering%20shall%20continue%20after%20encountering%20element%20which%20has%20an%20error.%20The%20element%20or%20its%20part%20that%20is%20in%20error%20won%27t%20be%20rendered.). #### 2. Cumulative Reference Expansion Cap (`resolver.dart` & `parser.dart`) - Integrated a cumulative event counter (`_deferredExpansionCount`) to track the total number of reference expansions (calls to `visitDeferredNode` and `extractPathsFromNode`) during compilation. - Enforces a hard security threshold of **`10,000`** cumulative expansions. - If the threshold is exceeded, the compiler immediately throws a handled `StateError` (`SVG contains too many nested reference expansions (possible Denial of Service exploit)`), preventing CPU or heap memory exhaustion. #### 3. Regression and Security Unit Tests (`test/parser_test.dart`) Added robust test cases covering circular and exponential structures: - **Circular Loop Avoidance**: `Circular Mask Loop Avoidance`, `Circular Deferred Node Loop Avoidance`, `Circular Pattern Loop Avoidance`, and `Circular ClipPath Loop Avoidance`. - **Exponential DoS Mitigations**: `Exponential DAG expansion triggers DoS protection limit` and `Exponential DAG clipPath expansion triggers DoS protection limit` (verifying compile-time abortion on a 30-level deep Billion Laughs tree). --- ### Why a 1000 Expansion Limit? 1000 is somewhat arbitrary. Benchmarking tests did not reveal any concerns with limit. --- ### Verification Results - **100% Passing Tests**: Verified that all **307 unit tests** inside the `vector_graphics_compiler` package pass successfully. - **Zero Lints or Warnings**: `flutter analyze` and `dart format` complete successfully with **"No issues found!"**. --- ### Related Issues Fixes flutter/flutter#186750 Fixes flutter/flutter#186814 ## Pre-Review Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [AI contribution guidelines] and understand my responsibilities, or I am not using AI tools. - [x] I read the [Tree Hygiene] page, which explains my responsibilities. - [x] I read and followed the [relevant style guides] and ran [the auto-formatter]. - [x] I signed the [CLA]. - [x] The title of the PR starts with the name of the package surrounded by square brackets, e.g. `[shared_preferences]` - [x] I [linked to at least one issue that this PR fixes] in the description above. - [x] I followed [the version and CHANGELOG instructions], using [semantic versioning] and the [repository CHANGELOG style], or I have commented below to indicate which documented exception this PR falls under[^1]. - [x] I updated/added any relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or I have commented below to indicate which [test exemption] this PR falls under[^1]. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord]. **Note**: The Flutter team is currently trialing the use of [Gemini Code Assist for GitHub](https://developers.google.com/gemini-code-assist/docs/review-github-code). Comments from the `gemini-code-assist` bot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed. [^1]: Regular contributors who have demonstrated familiarity with the repository guidelines only need to comment if the PR is not auto-exempted by repo tooling.  [Contributor Guide]: https://github.com/flutter/packages/blob/main/CONTRIBUTING.md [AI contribution guidelines]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#ai-contribution-guidelines [Tree Hygiene]: https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md [relevant style guides]: https://github.com/flutter/packages/blob/main/CONTRIBUTING.md#style [the auto-formatter]: https://github.com/flutter/packages/blob/main/script/tool/README.md#format-code [CLA]: https://cla.developers.google.com/ [Discord]: https://github.com/flutter/flutter/blob/master/docs/contributing/Chat.md [linked to at least one issue that this PR fixes]: https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md#overview [the version and CHANGELOG instructions]: https://github.com/flutter/flutter/blob/master/docs/ecosystem/contributing/README.md#version-and-changelog-updates [semantic versioning]: https://dart.dev/tools/pub/versioning#semantic-versions [repository CHANGELOG style]: https://github.com/flutter/flutter/blob/master/docs/ecosystem/contributing/README.md#changelog-style [test exemption]: https://github.com/flutter/flutter/blob/master/docs/contributing/Tree-hygiene.md#tests # Appendix ## Vibecoded benchmark ``` ## Benchmark Results Table | Limit | SVG Type | Compilation Time (ms) | Memory (MB) | Status | | :--- | :--- | :---: | :---: | :--- | | 100 | `simple.svg` | 0.59 | 418.0 | **Success** | | 100 | `complex.svg` | 20.05 | 461.5 | **Success** | | 100 | `dos_depth_10.svg` | N/A | N/A | *Aborted (StateError)* | | 100 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* | | 100 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* | | 100 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* | | 500 | `simple.svg` | 0.58 | 397.3 | **Success** | | 500 | `complex.svg` | 19.08 | 463.1 | **Success** | | 500 | `dos_depth_10.svg` | N/A | N/A | *Aborted (StateError)* | | 500 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* | | 500 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* | | 500 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* | | 1000 | `simple.svg` | 0.67 | 417.0 | **Success** | | 1000 | `complex.svg` | 21.07 | 470.1 | **Success** | | 1000 | `dos_depth_10.svg` | N/A | N/A | *Aborted (StateError)* | | 1000 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* | | 1000 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* | | 1000 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* | | 5000 | `simple.svg` | 0.62 | 398.0 | **Success** | | 5000 | `complex.svg` | 21.17 | 460.5 | **Success** | | 5000 | `dos_depth_10.svg` | 10.31 | 465.7 | **Success** | | 5000 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* | | 5000 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* | | 5000 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* | | 10000 | `simple.svg` | 0.58 | 424.2 | **Success** | | 10000 | `complex.svg` | 22.35 | 533.5 | **Success** | | 10000 | `dos_depth_10.svg` | 9.97 | 466.8 | **Success** | | 10000 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* | | 10000 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* | | 10000 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* | | 50000 | `simple.svg` | 0.59 | 423.6 | **Success** | | 50000 | `complex.svg` | 21.70 | 463.2 | **Success** | | 50000 | `dos_depth_10.svg` | 9.70 | 470.6 | **Success** | | 50000 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* | | 50000 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* | | 50000 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* | ``` ```dart /// compile_worker.dart import 'dart:convert'; import 'dart:io'; import 'package:vector_graphics_compiler/vector_graphics_compiler.dart'; import 'dart:async'; Future<void> main(List<String> args) async { try { if (args.isEmpty) { stderr.writeln('Usage:'); stderr.writeln( ' dart compile_worker.dart single <input_svg_path> <output_vec_path>', ); stderr.writeln(' dart compile_worker.dart ipc'); exit(1); } final mode = args[0]; if (mode == 'single') { if (args.length < 3) { stderr.writeln( 'Error: single mode requires <input_svg_path> and <output_vec_path>', ); exit(1); } _runSingle(args[1], args[2]); } else if (mode == 'ipc') { await _runIpc(); } else { stderr.writeln('Unknown mode: $mode'); exit(1); } } catch (error, stackTrace) { stderr.writeln('Error in main: $error'); stderr.writeln(stackTrace); exit(1); } } int _readPeakRss() { try { final file = File('/proc/self/status'); if (file.existsSync()) { final lines = file.readAsLinesSync(); for (final line in lines) { if (line.startsWith('VmHWM:')) { final parts = line.split(RegExp(r'\s+')); if (parts.length >= 2) { return int.tryParse(parts[1]) ?? 0; } } } } } catch (e) { // Ignore } return 0; } void _runSingle(String inputPath, String outputPath) { try { final file = File(inputPath); if (!file.existsSync()) { throw Exception('Input file not found: $inputPath'); } final svgXml = file.readAsStringSync(); final vecBytes = encodeSvg( xml: svgXml, debugName: inputPath, enableMaskingOptimizer: false, enableClippingOptimizer: false, enableOverdrawOptimizer: false, ); final outputFile = File(outputPath); if (outputFile.parent.path.isNotEmpty) { outputFile.parent.createSync(recursive: true); } outputFile.writeAsBytesSync(vecBytes); stdout.writeln( jsonEncode(<String, Object>{ 'status': 'success', 'peak_rss_kb': _readPeakRss(), }), ); exit(0); } catch (e) { stdout.writeln( jsonEncode(<String, Object>{'status': 'error', 'error': e.toString()}), ); exit(1); } } Future<void> _runIpc() async { final Stream<String> lines = stdin .transform(utf8.decoder) .transform(const LineSplitter()); await for (final line in lines) { final trimmed = line.trim(); if (trimmed.isEmpty) { continue; } try { final Map<String, dynamic> request = jsonDecode(trimmed) as Map<String, dynamic>; final String xml = request['xml'] as String; final String name = request['name'] as String; final stopwatch = Stopwatch()..start(); encodeSvg( xml: xml, debugName: name, enableMaskingOptimizer: false, enableClippingOptimizer: false, enableOverdrawOptimizer: false, ); stopwatch.stop(); final response = <String, dynamic>{ 'status': 'success', 'latency_us': stopwatch.elapsedMicroseconds, }; stdout.writeln(jsonEncode(response)); await stdout.flush(); } catch (e) { final response = <String, dynamic>{ 'status': 'error', 'error': e.toString(), }; stdout.writeln(jsonEncode(response)); await stdout.flush(); } } } ``` ```dart /// benchmark.dart import 'dart:async'; import 'dart:convert'; import 'dart:io'; Future<void> main() async { final String scratchDir = '/usr/local/google/home/jeffkwoh/.gemini/jetski/scratch/benchmark_reference_limits'; final String constantFilePath = '/usr/local/google/home/jeffkwoh/.gemini/jetski/worktrees/packages/add-upstream-test-coverage-20260519/packages/vector_graphics_compiler/lib/src/svg/constants.dart'; final File constantFile = File(constantFilePath); if (!constantFile.existsSync()) { stderr.writeln('Error: Constants file not found at $constantFilePath'); exit(1); } // 1. Read and back up the original contents of the constant file. final String originalContents = constantFile.readAsStringSync(); print('Successfully backed up constants.dart. Original size: ${originalContents.length} bytes.'); final List<int> limits = [100, 500, 1000, 5000, 10000, 50000]; final List<String> assets = [ 'simple.svg', 'complex.svg', 'dos_depth_10.svg', 'dos_depth_15.svg', 'dos_depth_20.svg', 'dos_depth_30.svg' ]; final List<BenchmarkResult> results = []; // Ensure global try/finally block to write back original contents of constant file. try { for (final int limit in limits) { print('\n----------------------------------------'); print('Configuring limit kMaxReferenceExpansions = $limit'); print('----------------------------------------'); // a. Dynamically modify constants.dart final String updatedContents = originalContents.replaceAll( RegExp(r'const int kMaxReferenceExpansions = \d+;'), 'const int kMaxReferenceExpansions = $limit;', ); constantFile.writeAsStringSync(updatedContents); // b. Wait for 100ms to ensure disk sync await Future<void>.delayed(const Duration(milliseconds: 100)); // c. Run benchmarks for each SVG asset for (final String assetName in assets) { final String svgPath = '$scratchDir/assets/$assetName'; final String tmpOutPath = '$scratchDir/out_$assetName.vec'; print('Running single compilation for $assetName (peak RSS measurement)...'); // Run single compilation to get clean peak RSS. final ProcessResult singleResult = await Process.run( Platform.resolvedExecutable, ['compile_worker.dart', 'single', svgPath, tmpOutPath], workingDirectory: scratchDir, ); // Clean up the temporary .vec file if created. final File tmpFile = File(tmpOutPath); if (tmpFile.existsSync()) { tmpFile.deleteSync(); } final String stdoutStr = singleResult.stdout.toString().trim(); if (stdoutStr.isEmpty) { print(' Single compilation failed or returned empty stdout for $assetName.'); if (singleResult.stderr.toString().isNotEmpty) { print(' [STDERR] ${singleResult.stderr}'); } results.add(BenchmarkResult( limit: limit, svgType: assetName, compilationTimeMs: null, memoryMb: null, status: 'Aborted (StateError)', )); continue; } Map<String, dynamic> singleJson; try { singleJson = jsonDecode(stdoutStr) as Map<String, dynamic>; } catch (e) { print(' Failed to parse single mode JSON output: $stdoutStr'); results.add(BenchmarkResult( limit: limit, svgType: assetName, compilationTimeMs: null, memoryMb: null, status: 'Aborted (StateError)', )); continue; } if (singleJson['status'] == 'error') { print(' Limit hit or compile error: ${singleJson['error']}'); results.add(BenchmarkResult( limit: limit, svgType: assetName, compilationTimeMs: null, memoryMb: null, status: 'Aborted (StateError)', )); continue; } final int peakRssKb = singleJson['peak_rss_kb'] as int; final double memoryMb = peakRssKb / 1024.0; print(' Peak RSS: ${memoryMb.toStringAsFixed(2)} MB. Launching IPC mode for JIT warm-up and latency timing...'); // Start IPC worker subprocess. final Process process = await Process.start( Platform.resolvedExecutable, ['compile_worker.dart', 'ipc'], workingDirectory: scratchDir, ); final lines = process.stdout.transform(utf8.decoder).transform(const LineSplitter()); final iterator = StreamIterator(lines); process.stderr.transform(utf8.decoder).listen((errorLine) { print(' [CHILD STDERR] $errorLine'); }); double? averageLatencyMs; String statusStr = 'Success'; try { final File svgFile = File(svgPath); final String svgXml = svgFile.readAsStringSync(); final String requestJson = jsonEncode({ 'xml': svgXml, 'name': assetName, }); // Warm up compiler: send twice. for (int w = 0; w < 2; w++) { process.stdin.writeln(requestJson); await process.stdin.flush(); if (await iterator.moveNext()) { final Map<String, dynamic> warmResponse = jsonDecode(iterator.current) as Map<String, dynamic>; if (warmResponse['status'] != 'success') { throw Exception('Warm-up failed: ${warmResponse['error']}'); } } else { throw Exception('IPC stdout closed during warm-up'); } } // Run 10 actual timed iterations. final List<int> latenciesUs = []; for (int i = 0; i < 10; i++) { process.stdin.writeln(requestJson); await process.stdin.flush(); if (await iterator.moveNext()) { final Map<String, dynamic> response = jsonDecode(iterator.current) as Map<String, dynamic>; if (response['status'] == 'success') { latenciesUs.add(response['latency_us'] as int); } else { throw Exception('IPC timed run failed: ${response['error']}'); } } else { throw Exception('IPC stdout closed during timed runs'); } } final double avgUs = latenciesUs.reduce((a, b) => a + b) / latenciesUs.length; averageLatencyMs = avgUs / 1000.0; } catch (e) { print(' IPC run encountered error: $e'); statusStr = 'Aborted (StateError)'; } finally { process.kill(); await process.exitCode; } results.add(BenchmarkResult( limit: limit, svgType: assetName, compilationTimeMs: averageLatencyMs, memoryMb: memoryMb, status: statusStr, )); } } } finally { // ALWAYS restore the constants file to original state. print('\nRestoring constants.dart to original contents...'); constantFile.writeAsStringSync(originalContents); print('Restoration complete.'); } // 6. Generate jank_analysis_report.md print('\nGenerating jank_analysis_report.md...'); final File reportFile = File('$scratchDir/jank_analysis_report.md'); final StringBuffer report = StringBuffer(); report.writeln('# reference expansion limit jank analysis report'); report.writeln(); report.writeln('This report presents benchmarking results for evaluating various nested reference expansion limits under benign and malicious (Denial of Service) SVG workloads.'); report.writeln(); report.writeln('## Benchmark Results Table'); report.writeln(); report.writeln('| Limit | SVG Type | Compilation Time (ms) | Memory (MB) | Status |'); report.writeln('| :--- | :--- | :---: | :---: | :--- |'); for (final result in results) { final String limitStr = result.limit.toString(); final String svgType = '`${result.svgType}`'; final String compTimeStr = result.compilationTimeMs != null ? result.compilationTimeMs!.toStringAsFixed(2) : 'N/A'; final String memoryStr = result.memoryMb != null ? result.memoryMb!.toStringAsFixed(1) : 'N/A'; final String status = result.status == 'Success' ? '**Success**' : '*Aborted (StateError)*'; report.writeln('| $limitStr | $svgType | $compTimeStr | $memoryStr | $status |'); } report.writeln(); } class BenchmarkResult { final int limit; final String svgType; final double? compilationTimeMs; final double? memoryMb; final String status; BenchmarkResult({ required this.limit, required this.svgType, required this.compilationTimeMs, required this.memoryMb, required this.status, }); } ```
diff --git a/packages/vector_graphics_compiler/CHANGELOG.md b/packages/vector_graphics_compiler/CHANGELOG.md
@@ -1,5 +1,7 @@
-## NEXT
+## 1.2.4
 
+* Fix Stack Overflow crashes caused by circular references (masks, patterns, deferred nodes, and clip paths).
+* Prevent CPU/Memory Denial of Service (DoS) resource exhaustion from exponential DAG reference expansions (Billion Laughs SVG exploits) by enforcing a strict, cumulative reference expansion safety limit of 1,000.
 * Updates minimum supported SDK version to Flutter 3.38/Dart 3.10.
 
 ## 1.2.3
diff --git a/packages/vector_graphics_compiler/lib/src/svg/constants.dart b/packages/vector_graphics_compiler/lib/src/svg/constants.dart
@@ -0,0 +1,10 @@
+// Copyright 2013 The Flutter Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+/// The maximum number of nested reference expansions allowed in an SVG to prevent DoS exploits.
+const int kMaxReferenceExpansions = 1000;
+
+/// The error message thrown when the nested reference expansions limit is exceeded.
+const String kMaxReferenceExpansionsErrorMessage =
+    'SVG contains too many nested reference expansions (possible Denial of Service exploit).';
diff --git a/packages/vector_graphics_compiler/lib/src/svg/parser.dart b/packages/vector_graphics_compiler/lib/src/svg/parser.dart
@@ -21,6 +21,7 @@ import '../vector_instructions.dart';
 import 'clipping_optimizer.dart';
 import 'color_mapper.dart';
 import 'colors.dart';
+import 'constants.dart';
 import 'masking_optimizer.dart';
 import 'node.dart';
 import 'numbers.dart' as numbers show parseDoubleWithUnits;
@@ -1678,6 +1679,7 @@ class _Resolver {
   final Map<String, AttributedNode> _drawables = <String, AttributedNode>{};
   final Map<String, Gradient> _shaders = <String, Gradient>{};
   final Map<String, List<Node>> _clips = <String, List<Node>>{};
+  int _deferredExpansionCount = 0;
 
   bool _sealed = false;
 
@@ -1702,6 +1704,7 @@ class _Resolver {
 
     final pathBuilders = <PathBuilder>[];
     PathBuilder? currentPath;
+    final activeDeferred = <String>{};
     void extractPathsFromNode(Node? target) {
       if (target is PathNode) {
         final nextPath = PathBuilder.fromPath(target.path);
@@ -1716,7 +1719,19 @@ class _Resolver {
           currentPath!.addPath(nextPath.toPath(reset: false));
         }
       } else if (target is DeferredNode) {
-        extractPathsFromNode(target.resolver(target.refId));
+        _deferredExpansionCount++;
+        if (_deferredExpansionCount > kMaxReferenceExpansions) {
+          throw StateError(kMaxReferenceExpansionsErrorMessage);
+        }
+        if (!activeDeferred.add(target.refId)) {
+          // Recursive loop detected.
+          return;
+        }
+        try {
+          extractPathsFromNode(target.resolver(target.refId));
+        } finally {
+          activeDeferred.remove(target.refId);
+        }
       } else if (target is ParentNode) {
         target.visitChildren(extractPathsFromNode);
       }
diff --git a/packages/vector_graphics_compiler/lib/src/svg/resolver.dart b/packages/vector_graphics_compiler/lib/src/svg/resolver.dart
@@ -9,6 +9,7 @@ import '../geometry/path.dart';
 import '../geometry/vertices.dart';
 import '../image/image_info.dart';
 import '../paint.dart';
+import 'constants.dart';
 import 'node.dart';
 import 'parser.dart';
 import 'visitor.dart';
@@ -19,6 +20,11 @@ import 'visitor.dart';
 class ResolvingVisitor extends Visitor<Node, AffineMatrix> {
   late Rect _bounds;
 
+  final Set<String> _activeMasks = <String>{};
+  final Set<String> _activeDeferred = <String>{};
+  final Set<String> _activePatterns = <String>{};
+  int _deferredExpansionCount = 0;
+
   @override
   Node visitClipNode(ClipNode clipNode, AffineMatrix data) {
     final AffineMatrix childTransform = clipNode.concatTransform(data);
@@ -37,19 +43,31 @@ class ResolvingVisitor extends Visitor<Node, AffineMatrix> {
 
   @override
   Node visitMaskNode(MaskNode maskNode, AffineMatrix data) {
-    final AttributedNode? resolvedMask = maskNode.resolver(maskNode.maskId);
-    if (resolvedMask == null) {
+    _deferredExpansionCount++;
+    if (_deferredExpansionCount > kMaxReferenceExpansions) {
+      throw StateError(kMaxReferenceExpansionsErrorMessage);
+    }
+    if (!_activeMasks.add(maskNode.maskId)) {
+      // Recursive loop detected.
       return maskNode.child.accept(this, data);
     }
-    final Node child = maskNode.child.accept(this, data);
-    final AffineMatrix childTransform = maskNode.concatTransform(data);
-    final Node mask = resolvedMask.accept(this, childTransform);
-
-    return ResolvedMaskNode(
-      child: child,
-      mask: mask,
-      blendMode: maskNode.blendMode,
-    );
+    try {
+      final AttributedNode? resolvedMask = maskNode.resolver(maskNode.maskId);
+      if (resolvedMask == null) {
+        return maskNode.child.accept(this, data);
+      }
+      final Node child = maskNode.child.accept(this, data);
+      final AffineMatrix childTransform = maskNode.concatTransform(data);
+      final Node mask = resolvedMask.accept(this, childTransform);
+
+      return ResolvedMaskNode(
+        child: child,
+        mask: mask,
+        blendMode: maskNode.blendMode,
+      );
+    } finally {
+      _activeMasks.remove(maskNode.maskId);
+    }
   }
 
   @override
@@ -180,17 +198,29 @@ class ResolvingVisitor extends Visitor<Node, AffineMatrix> {
 
   @override
   Node visitDeferredNode(DeferredNode deferredNode, AffineMatrix data) {
-    final AttributedNode? resolvedNode = deferredNode.resolver(
-      deferredNode.refId,
-    );
-    if (resolvedNode == null) {
+    _deferredExpansionCount++;
+    if (_deferredExpansionCount > kMaxReferenceExpansions) {
+      throw StateError(kMaxReferenceExpansionsErrorMessage);
+    }
+    if (!_activeDeferred.add(deferredNode.refId)) {
+      // Recursive loop detected.
       return Node.empty;
     }
-    final Node concreteRef = resolvedNode.applyAttributes(
-      deferredNode.attributes,
-      replace: true,
-    );
-    return concreteRef.accept(this, data);
+    try {
+      final AttributedNode? resolvedNode = deferredNode.resolver(
+        deferredNode.refId,
+      );
+      if (resolvedNode == null) {
+        return Node.empty;
+      }
+      final Node concreteRef = resolvedNode.applyAttributes(
+        deferredNode.attributes,
+        replace: true,
+      );
+      return concreteRef.accept(this, data);
+    } finally {
+      _activeDeferred.remove(deferredNode.refId);
+    }
   }
 
   @override
@@ -293,26 +323,38 @@ class ResolvingVisitor extends Visitor<Node, AffineMatrix> {
 
   @override
   Node visitPatternNode(PatternNode patternNode, AffineMatrix data) {
-    final AttributedNode? resolvedPattern = patternNode.resolver(
-      patternNode.patternId,
-    );
-    if (resolvedPattern == null) {
+    _deferredExpansionCount++;
+    if (_deferredExpansionCount > kMaxReferenceExpansions) {
+      throw StateError(kMaxReferenceExpansionsErrorMessage);
+    }
+    if (!_activePatterns.add(patternNode.patternId)) {
+      // Recursive loop detected.
       return patternNode.child.accept(this, data);
     }
-    final Node child = patternNode.child.accept(this, data);
-    final AffineMatrix childTransform = patternNode.concatTransform(data);
-    final Node pattern = resolvedPattern.accept(this, childTransform);
-
-    return ResolvedPatternNode(
-      child: child,
-      pattern: pattern,
-      x: resolvedPattern.attributes.x?.calculate(0) ?? 0,
-      y: resolvedPattern.attributes.y?.calculate(0) ?? 0,
-      width: resolvedPattern.attributes.width!,
-      height: resolvedPattern.attributes.height!,
-      transform: data,
-      id: patternNode.patternId,
-    );
+    try {
+      final AttributedNode? resolvedPattern = patternNode.resolver(
+        patternNode.patternId,
+      );
+      if (resolvedPattern == null) {
+        return patternNode.child.accept(this, data);
+      }
+      final Node child = patternNode.child.accept(this, data);
+      final AffineMatrix childTransform = patternNode.concatTransform(data);
+      final Node pattern = resolvedPattern.accept(this, childTransform);
+
+      return ResolvedPatternNode(
+        child: child,
+        pattern: pattern,
+        x: resolvedPattern.attributes.x?.calculate(0) ?? 0,
+        y: resolvedPattern.attributes.y?.calculate(0) ?? 0,
+        width: resolvedPattern.attributes.width!,
+        height: resolvedPattern.attributes.height!,
+        transform: data,
+        id: patternNode.patternId,
+      );
+    } finally {
+      _activePatterns.remove(patternNode.patternId);
+    }
   }
 
   @override
diff --git a/packages/vector_graphics_compiler/pubspec.yaml b/packages/vector_graphics_compiler/pubspec.yaml
@@ -2,7 +2,7 @@ name: vector_graphics_compiler
 description: A compiler to convert SVGs to the binary format used by `package:vector_graphics`.
 repository: https://github.com/flutter/packages/tree/main/packages/vector_graphics_compiler
 issue_tracker: https://github.com/flutter/flutter/issues?q=is%3Aissue+is%3Aopen+label%3A%22p%3A+vector_graphics%22
-version: 1.2.3
+version: 1.2.4
 
 executables:
   vector_graphics_compiler:
diff --git a/packages/vector_graphics_compiler/test/parser_test.dart b/packages/vector_graphics_compiler/test/parser_test.dart
