Apple Safari Malformed SVGList Parsing Code Execution Vulnerability

2009-05-13T00:00:00
ID ZDI-09-022
Type zdi
Reporter Nils
Modified 2009-06-22T00:00:00

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists during the parsing of malformed SVGLists via the SVGPathList data structure, the following lists are affected: SVGTransformList, SVGStringList, SVGNumberList, SVGPathSegList, SVGPointList, SVGLengthList. When a negative index argument is suppled to the insertItemBefore() method, a memory corruption occurs resulting in the ability to execute arbitrary code.