Division by Zero in coders/wmf.c

Swiss army knife of image processing

Brought to you by: bfriesen

Milestone: v1.0_(example)

Status: closed-fixed

Owner: Bob Friesenhahn

Labels: security (2) bug (4)

Priority: 5

Updated: 2019-04-08

Created: 2019-04-08

Creator: Ridwan

Private: No

A "division by zero" bug in coders/wmf.c allows remote attacker to cause a denial of service to imagemagick via "identify $FILE"

coders/wmf.c:2551:31: runtime error: division by zero
coders/wmf.c:2566:38: runtime error: division by zero

Verified with latest build 1_3_31

Bob Friesenhahn - 2019-04-08

This problem is fixed by Mercurial changeset 15957:72b0bcf425b6. It seems like libwmf should have reported an error from wmf_scan() if the bounding box is zero.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: