CVE-2019-1010258

Name of the Vulnerable Software and Affected Versions: nanosvg library versions after commit c1f6e209c16b18b46aa9f45d7e619acf42c29726

Description: The issue affects the nanosvg library, which is part of an SVG processing library. It is caused by a buffer overflow in the nsvg parseColorRGB function, located in src/nanosvg.h at line 1227. This can lead to memory corruption, resulting in at least a denial of service (DoS). The attack vector depends on the library's usage, and if input is passed from the network, network connectivity is sufficient for an attack. Most likely, an attack will require opening a specially crafted .svg file.

Recommendations: For versions after commit c1f6e209c16b18b46aa9f45d7e619acf42c29726, as a temporary workaround, consider disabling the nsvg parseColorRGB function until a patch is available. Restrict access to the library when processing untrusted SVG files to minimize the risk of exploitation. Avoid using the library to process .svg files from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.