Headline
CVE-2023-40032: svgload: fix null-pointer dereference (#3604) · libvips/libvips@e091d65
libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.
Expand Up
@@ -145,7 +145,7 @@ vips_foreign_load_svg_zfree( void *opaque, void *ptr )
/* Find a utf-8 substring within the first len_bytes (not characters).
*
* - case-insensitive
* - needle must be zero-terminated, but hackstack need not be
* - needle must be zero-terminated, but haystack need not be
* - haystack can be null-terminated
* - if haystack is shorter than len bytes, that’ll end the search
* - if we hit invalid utf-8, we return NULL
Expand Down Expand Up
@@ -191,11 +191,14 @@ vips_utf8_strcasestr( const char *haystack_start, const char *needle_start,
b == (gunichar) -2 )
return( NULL );
/* End of haystack. There can’t be a complete needle
* anywhere.
/* Disallow codepoint U+0000 as it’s a nul byte.
* This is redundant with GLib >= 2.63.0, see:
* https://gitlab.gnome.org/GNOME/glib/-/merge_requests/967
*/
#if !GLIB_CHECK_VERSION( 2, 63, 0 )
if( a == (gunichar) 0 )
return( NULL );
#endif
/* Mismatch.
*/
Expand All
@@ -205,6 +208,15 @@ vips_utf8_strcasestr( const char *haystack_start, const char *needle_start,
haystack_char =
g_utf8_find_next_char( haystack_char,
haystack_start + len_bytes );
/* End of haystack. There can’t be a complete needle
* anywhere.
*/
if( haystack_char == NULL )
return( NULL );
/* needle_char will never be NULL.
*/
needle_char =
g_utf8_find_next_char( needle_char, NULL );
}
Expand Down