CVE-2019-6246

Vulnerability

An out-of-bounds read vulnerability exists in SVG++ (svgpp) version 1.2.3. The issue occurs in the gil::get_color function from Boost's Generic Image Library. After calling this function, the return code is used as an address, causing an access violation due to an out-of-bounds read. According to the reference [1], a type confusion bug is the root cause: buffer.pixfmt() is expected to return a reference to pixfmt_alpha_blend_rgba but instead returns an unexpected struct, leading to an OOB read when accessing the stride member. The crash is observed in src/demo/svgpp_agg_render at line 1705.

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted SVG file that triggers the vulnerable code path. No authentication is required if the application processes user-supplied SVG files. The type confusion leads to reading memory beyond the intended buffer. The reference [1] includes a proof-of-concept (PoC) and AddressSanitizer (ASAN) output demonstrating the crash.

Impact

Successful exploitation results in an out-of-bounds read, which may lead to information disclosure (info-leak). The reference [1] explicitly states that this bug may be used for information leakage. No code execution is described for this specific vulnerability.

Mitigation

As of the publication date (2019-01-13), no official fix or patched version has been released for SVG++ 1.2.3. Users should avoid processing untrusted SVG files with this version. No workaround is documented. The project may be unmaintained; consider alternative SVG parsing libraries. This CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog.