libwmf v0.2.13 Integer Overflow in libwmf Left-Shift Operations (wmf.c, fig.c, svg.c)
libwmf库存在整数溢出和未定义行为漏洞,源于对有符号整数执行左移操作(如1 << 31)。此问题存在于wmf.c、fig.c和svg.c文件中,在处理恶意WMF文件时触发,可能导致应用崩溃、渲染错误或安全检查失效。尽管未观察到内存损坏,但编译器优化可能引发危险行为。 2025-9-16 03:1:21 Author: seclists.org(查看原文) 阅读量:4 收藏
libwmf库存在整数溢出和未定义行为漏洞,源于对有符号整数执行左移操作(如1 << 31)。此问题存在于wmf.c、fig.c和svg.c文件中,在处理恶意WMF文件时触发,可能导致应用崩溃、渲染错误或安全检查失效。尽管未观察到内存损坏,但编译器优化可能引发危险行为。 2025-9-16 03:1:21 Author: seclists.org(查看原文) 阅读量:4 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 13 Sep 2025 14:59:58 -0400
libwmf is vulnerable to an integer overflow / undefined behavior condition
in multiple code paths. The affected source files (wmf.c, fig.c, svg.c) use
left-shift operations on signed integers that shift into the sign bit
(e.g., 1 << 31). According to the C standard, shifting a signed integer
into the sign bit is undefined behavior and may lead to incorrect values or
unexpected execution paths. When a crafted WMF file is processed with tools
such as wmf2fig or wmf2svg, the integer overflow is triggered during API
initialization (wmf_api_create) and rendering setup (wmf_fig_function,
wmf_svg_function). Depending on compiler optimizations and platform, this
can result in miscalculated flags, denial of service, or other
unpredictable behavior.
*Impact:*
- Application aborts due to invalid state.
- Miscomputed flags could lead to corrupted rendering or bypassing
internal safety checks.
- While no controlled memory corruption was observed, compilers may
optimize UB in dangerous ways.
*Proof of Concept:*
ASAN_OPTIONS=abort_on_error=1,allocator_may_return_null=0,detect_leaks=0
UBSAN_OPTIONS=print_stacktrace=1 ./src/convert/wmf2fig AAAAAA....AAAA.wmf
*Output:*
wmf.c:110:11: runtime error: left shift of 1 by 31 places cannot be
represented in type 'int'
#0 0xaaaac5564d74 in wmf_api_create /root/libwmf/src/wmf.c:110:11
#1 0xaaaac554c874 in wmf2fig_draw
/root/libwmf/src/convert/wmf2fig.c:118:8
#2 0xaaaac555b4a0 in wmf2fig_file
/root/libwmf/src/convert/wmf2fig.c:479:11
#3 0xaaaac555bd3c in main /root/libwmf/src/convert/wmf2fig.c:498:33
#4 0xffff9afc2290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0xffff9afc2374 in __libc_start_main csu/../csu/libc-start.c:360:3
#6 0xaaaac546d2ac in _start (/root/libwmf/src/convert/wmf2fig+0xdd2ac)
(BuildId: a39ad033766fcd9a1723b20e5eb94936b2d83e67)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- libwmf v0.2.13 Integer Overflow in libwmf Left-Shift Operations (wmf.c, fig.c, svg.c) Ron E (Sep 15)
文章来源: https://seclists.org/fulldisclosure/2025/Sep/48
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh