Unrated severityOSV Advisory· Published Jan 13, 2019· Updated Aug 4, 2024

CVE-2019-6245

Description

An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SVG++ (aka svgpp) 1.2.3. In the function agg::cell_aa::not_equal, dx is assigned to (x2 - x1). If dx >= dx_limit, which is (16384 << poly_subpixel_shift), this function will call itself recursively. There can be a situation where (x2 - x1) is always bigger than dx_limit during the recursion, leading to continual stack consumption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Uncontrolled recursion in AGG's cell_aa::not_equal causes stack exhaustion in SVG++ 1.2.3.

Vulnerability

An issue exists in Anti-Grain Geometry (AGG) 2.4, as used in SVG++ 1.2.3. In the function agg::cell_aa::not_equal, the value dx is computed as (x2 - x1). If dx >= dx_limit (where dx_limit is 16384 << poly_subpixel_shift), the function calls itself recursively. Under certain conditions, dx always exceeds the limit, leading to infinite recursion and eventual stack consumption [1].

Exploitation

Exploitation requires a crafted SVG file that triggers the recursive condition when rendered. No authentication is needed, but user interaction is required to open the malicious file. The recursion causes uncontrolled stack growth, consuming all available stack space [1]. Specific input details are not publicly disclosed beyond the issue report.

Impact

Successful exploitation results in a denial of service (DoS) due to stack overflow. This can crash the application or render it unresponsive, potentially affecting availability.

Mitigation

As of the reference [1], no official patch has been released. Users should avoid processing untrusted SVG files or consider using alternative libraries. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.

References

4 bugs found in svgpp · Issue #70 · svgpp/svgpp

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Svgpp/SvgppOSV2 versions
v1.2.2, v1.2.3+ 1 more
- (no CPE)range: v1.2.2, v1.2.3
- (no CPE)range: = 1.2.3
Anti-Grain Geometry/AGGllm-create
Range: = 2.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.debian.org/debian-lts-announce/2019/02/msg00001.htmlmitremailing-list
lists.debian.org/debian-lts-announce/2021/12/msg00038.htmlmitremailing-list
lists.debian.org/debian-lts-announce/2023/04/msg00001.htmlmitremailing-list
github.com/svgpp/svgpp/issues/70mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000