ThorVG Null Pointer Dereference Vulnerability in SvgLoader Allowing Process Crash

A null pointer dereference vulnerability has been identified in Thor Vector Graphics (ThorVG) versions prior to 1.0.5. The issue arises in the SvgLoader component, specifically within the run() function. This vulnerability allows any caller to pass untrusted SVG data to the Picture::load() method, leading to a process crash. The vulnerability can be exploited with a minimal 6-byte payload, causing a segmentation fault by dereferencing a null pointer.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a process crash. This behavior has been confirmed in both release and AddressSanitizer builds, indicating a denial-of-service impact. The vulnerability does not cause any memory corruption beyond the null dereference.

Reproduction

The vulnerability can be reproduced by passing malformed SVG input, such as a simple SVG tag followed by a less-than sign, to the Picture::load() method. This can be done manually or automated through a fuzzing tool like AFL++, which discovered the vulnerability by mutating SVG data to create a crash payload.

Remediation

Users can upgrade to ThorVG version 1.0.5, which addresses the vulnerability by adding a null check before dereferencing the pointer, ensuring that malformed SVG input does not cause a process crash.