SIGSEV on libwmf using crafted wmf file:
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault. 0x00007ffff2e6ac80 in WmfPlayMetaFile (API=0x630360) at player.c:486 486 Par[i] = (unsigned char) byte; (gdb) bt #0 0x00007ffff2e6ac80 in WmfPlayMetaFile (API=0x630360) at player.c:486 #1 0x00007ffff2e6a129 in wmf_scan (API=0x630360, flags=0, d_r=0x7fffffff7350) at player.c:143 #2 0x00007ffff307e237 in ?? () from /usr/lib/ImageMagick-6.9.6/modules-Q16HDRI/coders/wmf.so #3 0x00007ffff7996dfa in ReadImage () from /usr/lib/libMagickCore-6.Q16HDRI.so.2 #4 0x00007ffff7abb7aa in ReadStream () from /usr/lib/libMagickCore-6.Q16HDRI.so.2 #5 0x00007ffff7996951 in PingImage () from /usr/lib/libMagickCore-6.Q16HDRI.so.2 #6 0x00007ffff7996b83 in PingImages () from /usr/lib/libMagickCore-6.Q16HDRI.so.2 #7 0x00007ffff765eb73 in IdentifyImageCommand () from /usr/lib/libMagickWand-6.Q16HDRI.so.2 #8 0x00007ffff768d8e6 in MagickCommandGenesis () from /usr/lib/libMagickWand-6.Q16HDRI.so.2 #9 0x000000000040089f in ?? () #10 0x00007ffff703e291 in __libc_start_main () from /usr/lib/libc.so.6 #11 0x000000000040092a in ?? ()
sorry, I somehow managed to misspell SIGSEGV both times.
Looking at the code (for the first time in 11 years - sorry, I'm very rusty on this) I can't understand why there should be an error there. It does occur to me that maybe somewhere there is a signed integer overflow causing this, but I would really more time to solve this than I can afford at the moment.
I am curious about how the metafile was crafted, i.e., what was special about it?