[vector_graphics_compiler]: Fix Stack Overflow and CPU/Memory DoS on SVGs with circular references or exponential expansions

[jeffkwoh]

Overview

This PR resolves a critical compile-time Stack Overflow crash and prevents CPU/Memory Denial of Service (DoS) vulnerabilities in the vector_graphics_compiler tool caused by circular references and exponential element expansions (such as Billion Laughs / XML Entity Expansion attacks) in SVG assets.

During compilation, the recursive AST resolution phase was vulnerable to:

1. Infinite Loops (Stack Overflow): Self-referencing or circular elements (mask-loops, pattern-loops, recursive <use> chains, or circular <use> inside <clipPath> nodes) caused infinite recursion and thread stack exhaustion.
2. Exponential DAG Expansions (CPU DoS): Acyclic Directed Acyclic Graphs (DAGs) referencing lower levels multiple times could bypass standard cycle guards and expand to billions of resolved nodes (e.g. Billion Laughs), locking up CPU and memory.

This PR implements dual-layer security defenses: local DFS cycle-guards to cleanly break circular loops, and a strict, cumulative reference expansion limit to prevent resource exhaustion.---

Proposed Changes

1. Core DFS Cycle-Guards in AST Resolution (resolver.dart & parser.dart)

• Added active ancestor tracking sets (_activeMasks, _activePatterns, and _activeDeferred) using Set<String> in ResolvingVisitor.
• Wrapped recursive resolution steps in try/finally blocks to guarantee that IDs are popped from the tracking sets when unwinding the call stack, preventing state leaks.
• Added a local cycle-guard set (activeDeferred) inside getClipPath's recursive extractPathsFromNode helper to break circular <use> references inside clip paths.
• If a cycle is detected, resolution immediately aborts for that node and falls back gracefully (rendering the base graphic normally without the broken layer), satisfying W3C SVG 2 error-handling specifications.

2. Cumulative Reference Expansion Cap (resolver.dart & parser.dart)

• Integrated a cumulative event counter (_deferredExpansionCount) to track the total number of reference expansions (calls to visitDeferredNode and extractPathsFromNode) during compilation.
• Enforces a hard security threshold of 10,000 cumulative expansions.
• If the threshold is exceeded, the compiler immediately throws a handled StateError (SVG contains too many nested reference expansions (possible Denial of Service exploit)), preventing CPU or heap memory exhaustion.

3. Regression and Security Unit Tests (test/parser_test.dart)

Added robust test cases covering circular and exponential structures:

• Circular Loop Avoidance: Circular Mask Loop Avoidance, Circular Deferred Node Loop Avoidance, Circular Pattern Loop Avoidance, and Circular ClipPath Loop Avoidance.
• Exponential DoS Mitigations: Exponential DAG expansion triggers DoS protection limit and Exponential DAG clipPath expansion triggers DoS protection limit (verifying compile-time abortion on a 30-level deep Billion Laughs tree).

---

Why a 1000 Expansion Limit?

1000 is somewhat arbitrary. Benchmarking tests did not reveal any concerns with limit.

---

Verification Results

• 100% Passing Tests: Verified that all 307 unit tests inside the vector_graphics_compiler package pass successfully.
• Zero Lints or Warnings: flutter analyze and dart format complete successfully with "No issues found!".

---

Related Issues

Fixes flutter/flutter#186750
Fixes flutter/flutter#186814

Pre-Review Checklist

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
• I read the AI contribution guidelines and understand my responsibilities, or I am not using AI tools.
• I read the Tree Hygiene page, which explains my responsibilities.
• I read and followed the relevant style guides and ran the auto-formatter.
• I signed the CLA.
• The title of the PR starts with the name of the package surrounded by square brackets, e.g. [shared_preferences]
• I linked to at least one issue that this PR fixes in the description above.
• I followed the version and CHANGELOG instructions, using semantic versioning and the repository CHANGELOG style, or I have commented below to indicate which documented exception this PR falls under¹.
• I updated/added any relevant documentation (doc comments with ///).
• I added new tests to check the change I am making, or I have commented below to indicate which test exemption this PR falls under¹.
• All existing and new tests are passing.

If you need help, consider asking for advice on the #hackers-new channel on Discord.

Note: The Flutter team is currently trialing the use of Gemini Code Assist for GitHub. Comments from the gemini-code-assist bot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed.

Appendix

Vibecoded benchmark

## Benchmark Results Table


| Limit | SVG Type | Compilation Time (ms) | Memory (MB) | Status |
| :--- | :--- | :---: | :---: | :--- |
| 100 | `simple.svg` | 0.59 | 418.0 | **Success** |
| 100 | `complex.svg` | 20.05 | 461.5 | **Success** |
| 100 | `dos_depth_10.svg` | N/A | N/A | *Aborted (StateError)* |
| 100 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* |
| 100 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* |
| 100 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* |
| 500 | `simple.svg` | 0.58 | 397.3 | **Success** |
| 500 | `complex.svg` | 19.08 | 463.1 | **Success** |
| 500 | `dos_depth_10.svg` | N/A | N/A | *Aborted (StateError)* |
| 500 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* |
| 500 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* |
| 500 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* |
| 1000 | `simple.svg` | 0.67 | 417.0 | **Success** |
| 1000 | `complex.svg` | 21.07 | 470.1 | **Success** |
| 1000 | `dos_depth_10.svg` | N/A | N/A | *Aborted (StateError)* |
| 1000 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* |
| 1000 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* |
| 1000 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* |
| 5000 | `simple.svg` | 0.62 | 398.0 | **Success** |
| 5000 | `complex.svg` | 21.17 | 460.5 | **Success** |
| 5000 | `dos_depth_10.svg` | 10.31 | 465.7 | **Success** |
| 5000 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* |
| 5000 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* |
| 5000 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* |
| 10000 | `simple.svg` | 0.58 | 424.2 | **Success** |
| 10000 | `complex.svg` | 22.35 | 533.5 | **Success** |
| 10000 | `dos_depth_10.svg` | 9.97 | 466.8 | **Success** |
| 10000 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* |
| 10000 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* |
| 10000 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* |
| 50000 | `simple.svg` | 0.59 | 423.6 | **Success** |
| 50000 | `complex.svg` | 21.70 | 463.2 | **Success** |
| 50000 | `dos_depth_10.svg` | 9.70 | 470.6 | **Success** |
| 50000 | `dos_depth_15.svg` | N/A | N/A | *Aborted (StateError)* |
| 50000 | `dos_depth_20.svg` | N/A | N/A | *Aborted (StateError)* |
| 50000 | `dos_depth_30.svg` | N/A | N/A | *Aborted (StateError)* |

/// compile_worker.dart

import 'dart:convert';
import 'dart:io';
import 'package:vector_graphics_compiler/vector_graphics_compiler.dart';
import 'dart:async';
Future<void> main(List<String> args) async {
  try {
    if (args.isEmpty) {
      stderr.writeln('Usage:');
      stderr.writeln(
        '  dart compile_worker.dart single <input_svg_path> <output_vec_path>',
      );
      stderr.writeln('  dart compile_worker.dart ipc');
      exit(1);
    }
    final mode = args[0];
    if (mode == 'single') {
      if (args.length < 3) {
        stderr.writeln(
          'Error: single mode requires <input_svg_path> and <output_vec_path>',
        );
        exit(1);
      }
      _runSingle(args[1], args[2]);
    } else if (mode == 'ipc') {
      await _runIpc();
    } else {
      stderr.writeln('Unknown mode: $mode');
      exit(1);
    }
  } catch (error, stackTrace) {
    stderr.writeln('Error in main: $error');
    stderr.writeln(stackTrace);
    exit(1);
  }
}
int _readPeakRss() {
  try {
    final file = File('/proc/self/status');
    if (file.existsSync()) {
      final lines = file.readAsLinesSync();
      for (final line in lines) {
        if (line.startsWith('VmHWM:')) {
          final parts = line.split(RegExp(r'\s+'));
          if (parts.length >= 2) {
            return int.tryParse(parts[1]) ?? 0;
          }
        }
      }
    }
  } catch (e) {
    // Ignore
  }
  return 0;
}
void _runSingle(String inputPath, String outputPath) {
  try {
    final file = File(inputPath);
    if (!file.existsSync()) {
      throw Exception('Input file not found: $inputPath');
    }
    final svgXml = file.readAsStringSync();
    final vecBytes = encodeSvg(
      xml: svgXml,
      debugName: inputPath,
      enableMaskingOptimizer: false,
      enableClippingOptimizer: false,
      enableOverdrawOptimizer: false,
    );
    final outputFile = File(outputPath);
    if (outputFile.parent.path.isNotEmpty) {
      outputFile.parent.createSync(recursive: true);
    }
    outputFile.writeAsBytesSync(vecBytes);
    stdout.writeln(
      jsonEncode(<String, Object>{
        'status': 'success',
        'peak_rss_kb': _readPeakRss(),
      }),
    );
    exit(0);
  } catch (e) {
    stdout.writeln(
      jsonEncode(<String, Object>{'status': 'error', 'error': e.toString()}),
    );
    exit(1);
  }
}
Future<void> _runIpc() async {
  final Stream<String> lines = stdin
      .transform(utf8.decoder)
      .transform(const LineSplitter());
  await for (final line in lines) {
    final trimmed = line.trim();
    if (trimmed.isEmpty) {
      continue;
    }
    try {
      final Map<String, dynamic> request =
          jsonDecode(trimmed) as Map<String, dynamic>;
      final String xml = request['xml'] as String;
      final String name = request['name'] as String;
      final stopwatch = Stopwatch()..start();
      encodeSvg(
        xml: xml,
        debugName: name,
        enableMaskingOptimizer: false,
        enableClippingOptimizer: false,
        enableOverdrawOptimizer: false,
      );
      stopwatch.stop();
      final response = <String, dynamic>{
        'status': 'success',
        'latency_us': stopwatch.elapsedMicroseconds,
      };
      stdout.writeln(jsonEncode(response));
      await stdout.flush();
    } catch (e) {
      final response = <String, dynamic>{
        'status': 'error',
        'error': e.toString(),
      };
      stdout.writeln(jsonEncode(response));
      await stdout.flush();
    }
  }
}

/// benchmark.dart 
 
import 'dart:async';
import 'dart:convert';
import 'dart:io';
Future<void> main() async {
  final String scratchDir = '/usr/local/google/home/jeffkwoh/.gemini/jetski/scratch/benchmark_reference_limits';
  final String constantFilePath = '/usr/local/google/home/jeffkwoh/.gemini/jetski/worktrees/packages/add-upstream-test-coverage-20260519/packages/vector_graphics_compiler/lib/src/svg/constants.dart';
  final File constantFile = File(constantFilePath);
  if (!constantFile.existsSync()) {
    stderr.writeln('Error: Constants file not found at $constantFilePath');
    exit(1);
  }
  // 1. Read and back up the original contents of the constant file.
  final String originalContents = constantFile.readAsStringSync();
  print('Successfully backed up constants.dart. Original size: ${originalContents.length} bytes.');
  final List<int> limits = [100, 500, 1000, 5000, 10000, 50000];
  final List<String> assets = [
    'simple.svg',
    'complex.svg',
    'dos_depth_10.svg',
    'dos_depth_15.svg',
    'dos_depth_20.svg',
    'dos_depth_30.svg'
  ];
  final List<BenchmarkResult> results = [];
  // Ensure global try/finally block to write back original contents of constant file.
  try {
    for (final int limit in limits) {
      print('\n----------------------------------------');
      print('Configuring limit kMaxReferenceExpansions = $limit');
      print('----------------------------------------');
      // a. Dynamically modify constants.dart
      final String updatedContents = originalContents.replaceAll(
        RegExp(r'const int kMaxReferenceExpansions = \d+;'),
        'const int kMaxReferenceExpansions = $limit;',
      );
      constantFile.writeAsStringSync(updatedContents);
      // b. Wait for 100ms to ensure disk sync
      await Future<void>.delayed(const Duration(milliseconds: 100));
      // c. Run benchmarks for each SVG asset
      for (final String assetName in assets) {
        final String svgPath = '$scratchDir/assets/$assetName';
        final String tmpOutPath = '$scratchDir/out_$assetName.vec';
        print('Running single compilation for $assetName (peak RSS measurement)...');
        // Run single compilation to get clean peak RSS.
        final ProcessResult singleResult = await Process.run(
          Platform.resolvedExecutable,
          ['compile_worker.dart', 'single', svgPath, tmpOutPath],
          workingDirectory: scratchDir,
        );
        // Clean up the temporary .vec file if created.
        final File tmpFile = File(tmpOutPath);
        if (tmpFile.existsSync()) {
          tmpFile.deleteSync();
        }
        final String stdoutStr = singleResult.stdout.toString().trim();
        if (stdoutStr.isEmpty) {
          print('  Single compilation failed or returned empty stdout for $assetName.');
          if (singleResult.stderr.toString().isNotEmpty) {
            print('  [STDERR] ${singleResult.stderr}');
          }
          results.add(BenchmarkResult(
            limit: limit,
            svgType: assetName,
            compilationTimeMs: null,
            memoryMb: null,
            status: 'Aborted (StateError)',
          ));
          continue;
        }
        Map<String, dynamic> singleJson;
        try {
          singleJson = jsonDecode(stdoutStr) as Map<String, dynamic>;
        } catch (e) {
          print('  Failed to parse single mode JSON output: $stdoutStr');
          results.add(BenchmarkResult(
            limit: limit,
            svgType: assetName,
            compilationTimeMs: null,
            memoryMb: null,
            status: 'Aborted (StateError)',
          ));
          continue;
        }
        if (singleJson['status'] == 'error') {
          print('  Limit hit or compile error: ${singleJson['error']}');
          results.add(BenchmarkResult(
            limit: limit,
            svgType: assetName,
            compilationTimeMs: null,
            memoryMb: null,
            status: 'Aborted (StateError)',
          ));
          continue;
        }
        final int peakRssKb = singleJson['peak_rss_kb'] as int;
        final double memoryMb = peakRssKb / 1024.0;
        print('  Peak RSS: ${memoryMb.toStringAsFixed(2)} MB. Launching IPC mode for JIT warm-up and latency timing...');
        // Start IPC worker subprocess.
        final Process process = await Process.start(
          Platform.resolvedExecutable,
          ['compile_worker.dart', 'ipc'],
          workingDirectory: scratchDir,
        );
        final lines = process.stdout.transform(utf8.decoder).transform(const LineSplitter());
        final iterator = StreamIterator(lines);
        process.stderr.transform(utf8.decoder).listen((errorLine) {
          print('  [CHILD STDERR] $errorLine');
        });
        double? averageLatencyMs;
        String statusStr = 'Success';
        try {
          final File svgFile = File(svgPath);
          final String svgXml = svgFile.readAsStringSync();
          final String requestJson = jsonEncode({
            'xml': svgXml,
            'name': assetName,
          });
          // Warm up compiler: send twice.
          for (int w = 0; w < 2; w++) {
            process.stdin.writeln(requestJson);
            await process.stdin.flush();
            if (await iterator.moveNext()) {
              final Map<String, dynamic> warmResponse = jsonDecode(iterator.current) as Map<String, dynamic>;
              if (warmResponse['status'] != 'success') {
                throw Exception('Warm-up failed: ${warmResponse['error']}');
              }
            } else {
              throw Exception('IPC stdout closed during warm-up');
            }
          }
          // Run 10 actual timed iterations.
          final List<int> latenciesUs = [];
          for (int i = 0; i < 10; i++) {
            process.stdin.writeln(requestJson);
            await process.stdin.flush();
            if (await iterator.moveNext()) {
              final Map<String, dynamic> response = jsonDecode(iterator.current) as Map<String, dynamic>;
              if (response['status'] == 'success') {
                latenciesUs.add(response['latency_us'] as int);
              } else {
                throw Exception('IPC timed run failed: ${response['error']}');
              }
            } else {
              throw Exception('IPC stdout closed during timed runs');
            }
          }
          final double avgUs = latenciesUs.reduce((a, b) => a + b) / latenciesUs.length;
          averageLatencyMs = avgUs / 1000.0;
        } catch (e) {
          print('  IPC run encountered error: $e');
          statusStr = 'Aborted (StateError)';
        } finally {
          process.kill();
          await process.exitCode;
        }
        results.add(BenchmarkResult(
          limit: limit,
          svgType: assetName,
          compilationTimeMs: averageLatencyMs,
          memoryMb: memoryMb,
          status: statusStr,
        ));
      }
    }
  } finally {
    // ALWAYS restore the constants file to original state.
    print('\nRestoring constants.dart to original contents...');
    constantFile.writeAsStringSync(originalContents);
    print('Restoration complete.');
  }
  // 6. Generate jank_analysis_report.md
  print('\nGenerating jank_analysis_report.md...');
  final File reportFile = File('$scratchDir/jank_analysis_report.md');
  final StringBuffer report = StringBuffer();
  report.writeln('# reference expansion limit jank analysis report');
  report.writeln();
  report.writeln('This report presents benchmarking results for evaluating various nested reference expansion limits under benign and malicious (Denial of Service) SVG workloads.');
  report.writeln();
  report.writeln('## Benchmark Results Table');
  report.writeln();
  report.writeln('| Limit | SVG Type | Compilation Time (ms) | Memory (MB) | Status |');
  report.writeln('| :--- | :--- | :---: | :---: | :--- |');
  for (final result in results) {
    final String limitStr = result.limit.toString();
    final String svgType = '`${result.svgType}`';
    final String compTimeStr = result.compilationTimeMs != null
        ? result.compilationTimeMs!.toStringAsFixed(2)
        : 'N/A';
    final String memoryStr = result.memoryMb != null
        ? result.memoryMb!.toStringAsFixed(1)
        : 'N/A';
    final String status = result.status == 'Success' ? '**Success**' : '*Aborted (StateError)*';
    report.writeln('| $limitStr | $svgType | $compTimeStr | $memoryStr | $status |');
  }
  report.writeln();
}

class BenchmarkResult {
  final int limit;
  final String svgType;
  final double? compilationTimeMs;
  final double? memoryMb;
  final String status;
  BenchmarkResult({
    required this.limit,
    required this.svgType,
    required this.compilationTimeMs,
    required this.memoryMb,
    required this.status,
  });
}

Footnotes

1. Regular contributors who have demonstrated familiarity with the repository guidelines only need to comment if the PR is not auto-exempted by repo tooling. ↩ ↩²

[jeffkwoh]

The code is write is mostly closed sourced; so I'm not used to this workflow (sorry!). How do i trigger the automated CI tests here so i can fix issues before a proper review?

[gemini-code-assist]

Code Review

This pull request introduces protections against stack overflow crashes and Denial of Service (DoS) attacks by limiting reference expansions and detecting circular dependencies in SVG masks, patterns, and deferred nodes. Feedback focuses on improving the robustness of these checks by making the expansion counter global to the resolver, applying the limit to more node types, and relocating constants to avoid circular dependencies.

[stuartmorgan-g]

How do i trigger the automated CI tests here so i can fix issues before a proper review?

You can't; only Flutter team members are able to trigger CI.

[jeffkwoh]

How do i trigger the automated CI tests here so i can fix issues before a proper review?

You can't; only Flutter team members are able to trigger CI.

Thanks!

[auto-submit]

autosubmit label was removed for flutter/packages/11740, because This PR has not met approval requirements for merging. The PR author is not a member of flutter-hackers and needs 1 more review(s) in order to merge this PR.

• Merge guidelines: A PR needs at least one approved review if the author is already part of flutter-hackers or two member reviews if the author is not a member of flutter-hackers before re-applying the autosubmit label. Reviewers: If you left a comment approving, please use the "approve" review action instead.

[Piinks]

LGTM

[jtmcdole]

thanks for this pr, @jeffkwoh !