support for inline stylesheets text/css in nanosvg

[jordo]

nanosvg isn't being maintained anymore: memononen/nanosvg#55

The current nanosvg doesn't have support for stylesheets... so this PR pulls in stylesheet support from here: memononen/nanosvg#175

Previously any stylesheet information wasn't parsed in nanosvg. Both inkscape and adobe illustrator export with stylesheets which don't render properly:

With this change, nanosvg correctly renders the styles defined in the svg stylesheet:

[akien-mga]

Seems OK, but some changes are needed:

• Style issues as pointed out in Basic style sheets support memononen/nanosvg#175
• We normally don't modify thirdparty code. When we do, this needs to be pointed out clearly with:
  • A mention in the relevant place in thirdparty/README.md.
  • A .patch file with the equivalent changes includes in thirdparty/nanosvg/patches/ so that the changes can be reapplied if/when we sync with upstream master (which we could do as there have been recent bugfixes). You can do this with git format-patch -1 after committing, move the patch to thirdparty/nanosvg/patches/pr175-style-sheets.patch or similar, and use git commit --amend to include it in the original patch.
• Will need a rebase once nanosvg: Sync with upstream cc6c08d #43633 is merged (like the upstream PR).

[akien-mga]

That's the typical minefield for security vulnerabilities. Did you ensure that it can't do out of bounds reads or similar?
It would be better IMO to use existing C standard methods instead of reimplementing something that's coming in C23.

[akien-mga]

What's the reason for closing this?

For the reference, the upstream repo is somewhat more active nowadays (though mostly for bugfixes), so it might be worth mentioning interest in the upstream PR, do a technical review there, and see if it can be merged eventually. That'd be better than backporting a PR that we hasn't been approved/reviewed upstream yet.

[jordo]

I closed because this is unlikely to get upstreamed. The PR to upstream is almost a year old, and https://github.com/memononen/nanosvg isn't actively maintained as documented in the first line of the README.md There were comments on older and similar stylesheet PR's in that repo that seem like stylesheet support will not be added.

We have this pulled into our private fork, which we are fine with a one-off for a small dependency, and because we don't do any svg processing in games we're not too concerned about security vulnerabilities within the godot editor itself.

I agree that godot shouldn't maintain or accept third-party code that hasn't been merged upstream so I closed the PR.

I may keep an eye on https://github.com/memononen/nanosvg from time to time, and if something changes I'll reopen another PR. But until then, it seems better to cleanup PR's for godot that are just going to hand around indefinitely.