rsvg-base.c | 89 81 + 8 - 0 !
rsvg-io.c | 2 1 + 1 - 0 !
rsvg-private.h | 4 2 + 2 - 0 !
3 files changed, 84 insertions(+), 11 deletions(-)

 io: implement strict load policy

Allow any file to load from data:, and any resource to load from other
resources. Only allow file: to load other file: URIs from below the path
of the base file. Any other loads are denied.

Bug #691708.

rsvg-base.c | 3 3 + 0 - 0 !
rsvg-css.c | 2 2 + 0 - 0 !
2 files changed, 5 insertions(+)

 io: use xml_parse_nonet

We don't want to load resources off the net.

Bug #691708.

rsvg-gobject.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 revert abi breakage
 Provide the rsvg_handle_new_gz function.
 Do not provide the C prototype to force
 applications using it to use rsvg_handle_new instead.

rsvg-convert.c | 27 23 + 4 - 0 !
1 file changed, 23 insertions(+), 4 deletions(-)

---

ltmain.sh | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

---

rsvg-shapes.c | 14 13 + 1 - 0 !
1 file changed, 13 insertions(+), 1 deletion(-)

 bgo#738050 - handle the case where a list of coordinate pairs has an
 odd number of elements

Lists of points come in coordinate pairs, but we didn't have any checking for that.
It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate
of an x,y pair, that was in fact missing, leading to an out-of-bounds array read.

In that case, we now reuse the last-known y coordinate.

Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050

Signed-off-by: Federico Mena Quintero <federico@gnome.org>