CVE-2018-17333

Vulnerability

A stack-based buffer overflow exists in the svgStringToLength function in svg_types.c of libsvg2 through version 2012-10-19. The function uses sscanf(szValue, "%f%s", &ptLength->fValue, szUnit) where szUnit is a local buffer of 8 bytes. The %s format specifier does not limit the number of characters read, allowing an attacker to write past the buffer's bounds when parsing a crafted SVG length attribute [1].

Exploitation

An attacker can trigger the overflow by providing a malicious SVG file containing a length value with a unit string longer than 7 characters (e.g., a long sequence of non-whitespace characters after the numeric part). No authentication is required; the victim must open the SVG file in an application that uses libsvg2, such as a browser or image viewer. The overflow corrupts the stack, potentially overwriting the return address or other critical data [1].

Impact

Successful exploitation can cause a denial of service (application crash). The reference also indicates that arbitrary code execution (RCE) may be possible, especially when libsvg2 is used in a browser context, as the stack overflow can be leveraged to hijack control flow [1].

Mitigation

No official fix has been released; the libsvg2 project appears to be abandoned (last update 2012). Users should avoid using libsvg2 and migrate to a maintained SVG parsing library. There is no known workaround. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.