Problem Description
When GNU Emacs renders an SVG image whose image spec includes a
:css property, an off-by-one error in svg_load_image() writes a NUL
byte one position past the end of a heap allocation. The copied
string is also left without NUL termination within its allocation,
causing a subsequent out-of-bounds read.
Impact
A single NUL byte heap overflow is a well-understood exploitation
primitive ("poison NUL byte") that can corrupt heap metadata and
potentially be escalated to arbitrary code execution. The overflow
can be triggered by Lisp code that displays an SVG image with a
crafted :css property.