ImageMagick Buffer Overflow Vulnerability in SVG Writing Function Causes Denial-of-Service

A buffer overflow vulnerability has been identified in ImageMagick versions prior to 7.1.2-12, specifically within the WriteSVGImage function. The issue arises from an integer overflow caused by using an int variable to store the number of attributes, which then leads to a buffer overflow and a denial-of-service condition. The vulnerability can be triggered by converting a malicious MVG file to SVG, allowing for the manipulation of the number of attributes and causing the application to crash.

Impact

Exploitation of this vulnerability leads to a buffer overflow, causing a crash or undefined behavior in the application.

Reproduction

The vulnerability can be reproduced by using the ImageMagick command-line tool to convert a crafted MVG file that exploits the integer overflow into an SVG file. This can be done by running the command 'magick mvg:test++/1.mvg 1.svg', where 'test++/1.mvg' is a malicious MVG file designed to trigger the vulnerability.

Remediation

Users should upgrade to ImageMagick version 7.1.2-12 or later, where this vulnerability has been fixed.