CVE-2018-17332

Vulnerability

The vulnerability resides in the svgGetNextPathField function in svg_string.c of libsvg2 through 2012-10-19. When parsing malformed SVG path data, the function can return the same pointer it received as input (szStart) without advancing, causing subsequent code to perform wasteful malloc calls in an infinite loop. The issue occurs because the while loop that skips whitespace characters does not handle all cases correctly, allowing szStart to remain unchanged. This leads to repeated allocation of memory for path commands via svgNewPathCommand without freeing previous allocations. The bug is specifically triggered when uiCmdIdx is set to 18, causing a dead block in the parsing logic [1].

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted SVG file that triggers the defective code path. No authentication is required; the attacker only needs to convince a victim or service to parse the malicious SVG using libsvg2. The specific input causes svgGetNextPathField to return the original pointer without advancing, resulting in an infinite loop of malloc calls that progressively consumes memory [1].

Impact

Successful exploitation leads to a denial of service (DoS) condition through memory exhaustion. The system's available memory is gradually wasted by repeated allocations, potentially causing the application or even the entire system to crash due to out-of-memory conditions. The confidentiality, integrity, and availability impact is limited to availability; no data disclosure or remote code execution is possible [1].

Mitigation

As of the publication date (2018-09-22), no official fix or patched version of libsvg2 was available. The project appears to be abandoned (last update 2012-10-19). Users are advised to avoid using libsvg2 to parse untrusted SVG files and to consider alternative SVG parsing libraries that are actively maintained. No workaround is provided in the available reference [1].