Skip to content

ImageSharp.Drawing crashes on malformed SVG path input (IOOB, ArithmeticException) #385

Open
Open
ImageSharp.Drawing crashes on malformed SVG path input (IOOB, ArithmeticException)#385
Labels
needs triage
@pawlos

Description

@pawlos
pawlos
opened on Mar 20, 2026

Prerequisites

  • I have written a descriptive issue title
  • I have verified that I am running the latest version of ImageSharp.Drawing
  • I have verified if the problem exist in both DEBUG and RELEASE mode
  • I have searched open and closed issues to ensure it has not already been reported

ImageSharp.Drawing version

2.1.7 (latest stable on NuGet)

Other ImageSharp packages and versions

N/A

Environment (Operating system, version and so on)

Linux x64 (WSL2 / Ubuntu)

.NET Framework version

.NET 10.0

Description

Fuzzing ImageSharp.Drawing with AFL++ and SharpFuzz found 2 unique crashes triggered by malformed SVG path strings.

Crash 1 - IndexOutOfRangeException in ArcLineSegment constructor (89 bytes). SVG arc parameters with overflowing numeric values cause an unchecked array access.

Crash 2 - ArithmeticException in TopologyUtilities.GetPolygonOrientation (40 bytes). A malformed SVG arc with overflowing radius produces NaN coordinates that propagate through the geometry pipeline into Math.Sign(), which rejects NaN values.

Steps to Reproduce

using SixLabors.ImageSharp;
using SixLabors.ImageSharp.Drawing;
using SixLabors.ImageSharp.Drawing.Processing;
using SixLabors.ImageSharp.PixelFormats;
using SixLabors.ImageSharp.Processing;

// Crash 1 — IOOB in ArcLineSegment (89 bytes)
var svg1 = "M 10 80 A 4444444444444444444444444444444444444445 45 0 04445 45 0 0 0 125 125 L 125 80 Z";

// Crash 2 — ArithmeticException from NaN (40 bytes)
var svg2 = "M 10 80 A 45 455555555555555555555555 55";

foreach (var (name, svg) in new[] { ("crash_1", svg1), ("crash_2", svg2) })
{
    try
    {
        if (SixLabors.ImageSharp.Drawing.Path.TryParseSvgPath(svg, out var path))
        {
            using var image = new Image<Rgba32>(100, 100);
            image.Mutate(ctx => ctx.Fill(Color.Red, path));
        }
        Console.WriteLine($"{name}: OK");
    }
    catch (Exception ex)
    {
        Console.WriteLine($"{name}: {ex.GetType().Name} — {ex.Message}");
    }
}

Crash 1 stack trace:

System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SixLabors.ImageSharp.Drawing.ArcLineSegment..ctor(PointF from, PointF to, SizeF radius, Single rotation, Boolean largeArc, Boolean sweep)
   at SixLabors.ImageSharp.Drawing.PathBuilder.AddArc(...)
   at SixLabors.ImageSharp.Drawing.Path.TryParseSvgPath(ReadOnlySpan`1 svgPath, IPath& value)

Crash 2 stack trace:

System.ArithmeticException: Function does not accept floating point Not-a-Number values.
   at System.Math.Sign(Single value)
   at SixLabors.ImageSharp.Drawing.Shapes.Helpers.TopologyUtilities.GetPolygonOrientation(ReadOnlySpan`1 polygon)
   at SixLabors.ImageSharp.Drawing.Shapes.TessellatedMultipolygon.Create(IPath path, MemoryAllocator memoryAllocator)
   at SixLabors.ImageSharp.Drawing.Processing.Processors.Drawing.FillPathProcessor`1.OnFrameApply(ImageFrame`1 source)

Images

N/A - these are SVG path parsing bugs, no image files needed. The crashing inputs are inline SVG path strings in the reproduction code above.

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions