Security vulnerabilities and automated fixes for svg parsing issues
3 posts found
ImageMagick's drawing-wand component contained a critical buffer overflow vulnerability in the MVGPrintf() function where vsprintf() was used without bounds checking. By switching to snprintf() with proper size constraints, the fix prevents attackers from overflowing the MVG buffer through crafted SVG files and achieving arbitrary code execution.
A critical buffer overflow vulnerability was discovered in the nanosvg.h SVG parser where the `memcpy` call at line 913 copies gradient stop data using an attacker-controlled size (`nstops`) without validating buffer boundaries. A crafted SVG file with excessive `<stop>` elements could trigger heap corruption, potentially enabling arbitrary code execution. The fix adds a bounds check before the `memcpy` operation to prevent writes when no valid stops exist.
A critical heap buffer overflow vulnerability was discovered and patched in the NanoSVG SVG parsing library, where missing bounds checks on memcpy operations allowed attacker-controlled SVG data to overflow heap buffers. Without validation of gradient stop counts and attribute array indices, a specially crafted SVG file could trigger arbitrary code execution. The fix adds proper bounds checking before all memory copy operations, closing a dangerous attack vector present in any application that p