Qt SVG Type Confusion Vulnerability Leading to Application Crash

A type confusion vulnerability has been identified in Qt SVG versions 6.7.0 prior to 6.8.8 and 6.9.0 prior to 6.11.1. This vulnerability allows an attacker to cause an application crash by exploiting how SVG marker references are processed. The renderer retrieves nodes by their id attribute and incorrectly casts them to QSvgMarker pointers without verifying the node type. When a non-marker element, such as a line, references itself as a marker, it triggers an out-of-bounds heap read due to the size difference between QSvgLine and QSvgMarker. This is followed by an endless recursion that bypasses the marker recursion guard, leading to a denial-of-service condition by crashing the application.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced using a crafted SVG image that includes a line element referencing itself as a marker. This can be done by creating an SVG file that includes a line element with an id attribute that is referenced as a marker, exploiting the type confusion when the SVG is processed by an application using the vulnerable version of Qt SVG.

Remediation

Users can upgrade to Qt SVG versions 6.11.1 or higher, or versions 6.8.8 and 6.11.1, to address this vulnerability.