Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

libwmf v0.2.13 Integer Overflow in libwmf Left-Shift Operations (wmf.c, fig.c, svg.c)

From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 13 Sep 2025 14:59:58 -0400
libwmf is vulnerable to an integer overflow / undefined behavior condition
in multiple code paths. The affected source files (wmf.c, fig.c, svg.c) use
left-shift operations on signed integers that shift into the sign bit
(e.g., 1 << 31). According to the C standard, shifting a signed integer
into the sign bit is undefined behavior and may lead to incorrect values or
unexpected execution paths. When a crafted WMF file is processed with tools
such as wmf2fig or wmf2svg, the integer overflow is triggered during API
initialization (wmf_api_create) and rendering setup (wmf_fig_function,
wmf_svg_function). Depending on compiler optimizations and platform, this
can result in miscalculated flags, denial of service, or other
unpredictable behavior.


*Impact:*

   - Application aborts due to invalid state.
   - Miscomputed flags could lead to corrupted rendering or bypassing
   internal safety checks.
   - While no controlled memory corruption was observed, compilers may
   optimize UB in dangerous ways.

*Proof of Concept:*

ASAN_OPTIONS=abort_on_error=1,allocator_may_return_null=0,detect_leaks=0
UBSAN_OPTIONS=print_stacktrace=1 ./src/convert/wmf2fig AAAAAA....AAAA.wmf


*Output:*

wmf.c:110:11: runtime error: left shift of 1 by 31 places cannot be
represented in type 'int'

    #0 0xaaaac5564d74 in wmf_api_create /root/libwmf/src/wmf.c:110:11

    #1 0xaaaac554c874 in wmf2fig_draw
/root/libwmf/src/convert/wmf2fig.c:118:8

    #2 0xaaaac555b4a0 in wmf2fig_file
/root/libwmf/src/convert/wmf2fig.c:479:11

    #3 0xaaaac555bd3c in main /root/libwmf/src/convert/wmf2fig.c:498:33

    #4 0xffff9afc2290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

    #5 0xffff9afc2374 in __libc_start_main csu/../csu/libc-start.c:360:3

    #6 0xaaaac546d2ac in _start (/root/libwmf/src/convert/wmf2fig+0xdd2ac)
(BuildId: a39ad033766fcd9a1723b20e5eb94936b2d83e67)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: