#165 SIGSEV on libwmf player.c using crafted WMF file

[Santiago Torres]

SIGSEV on libwmf using crafted wmf file:

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2e6ac80 in WmfPlayMetaFile (API=0x630360) at player.c:486
486             Par[i] = (unsigned char) byte;
(gdb) bt
#0  0x00007ffff2e6ac80 in WmfPlayMetaFile (API=0x630360) at player.c:486
#1  0x00007ffff2e6a129 in wmf_scan (API=0x630360, flags=0, d_r=0x7fffffff7350) at player.c:143
#2  0x00007ffff307e237 in ?? () from /usr/lib/ImageMagick-6.9.6/modules-Q16HDRI/coders/wmf.so
#3  0x00007ffff7996dfa in ReadImage () from /usr/lib/libMagickCore-6.Q16HDRI.so.2
#4  0x00007ffff7abb7aa in ReadStream () from /usr/lib/libMagickCore-6.Q16HDRI.so.2
#5  0x00007ffff7996951 in PingImage () from /usr/lib/libMagickCore-6.Q16HDRI.so.2
#6  0x00007ffff7996b83 in PingImages () from /usr/lib/libMagickCore-6.Q16HDRI.so.2
#7  0x00007ffff765eb73 in IdentifyImageCommand () from /usr/lib/libMagickWand-6.Q16HDRI.so.2
#8  0x00007ffff768d8e6 in MagickCommandGenesis () from /usr/lib/libMagickWand-6.Q16HDRI.so.2
#9  0x000000000040089f in ?? ()
#10 0x00007ffff703e291 in __libc_start_main () from /usr/lib/libc.so.6
#11 0x000000000040092a in ?? ()

[Santiago Torres]

sorry, I somehow managed to misspell SIGSEGV both times.

[Francis James Franklin]

Looking at the code (for the first time in 11 years - sorry, I'm very rusty on this) I can't understand why there should be an error there. It does occur to me that maybe somewhere there is a signed integer overflow causing this, but I would really more time to solve this than I can afford at the moment.

I am curious about how the metafile was crafted, i.e., what was special about it?