lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GxZXkhT8BGBEddmCecEUU055_dBhtGtf_QdYjFw3R6GiQ@mail.gmail.com>
Date: Sat, 13 Sep 2025 14:59:58 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] libwmf v0.2.13 Integer Overflow in libwmf Left-Shift
 Operations (wmf.c, fig.c, svg.c)

libwmf is vulnerable to an integer overflow / undefined behavior condition
in multiple code paths. The affected source files (wmf.c, fig.c, svg.c) use
left-shift operations on signed integers that shift into the sign bit
(e.g., 1 << 31). According to the C standard, shifting a signed integer
into the sign bit is undefined behavior and may lead to incorrect values or
unexpected execution paths. When a crafted WMF file is processed with tools
such as wmf2fig or wmf2svg, the integer overflow is triggered during API
initialization (wmf_api_create) and rendering setup (wmf_fig_function,
wmf_svg_function). Depending on compiler optimizations and platform, this
can result in miscalculated flags, denial of service, or other
unpredictable behavior.


*Impact:*

   - Application aborts due to invalid state.
   - Miscomputed flags could lead to corrupted rendering or bypassing
   internal safety checks.
   - While no controlled memory corruption was observed, compilers may
   optimize UB in dangerous ways.

*Proof of Concept:*

ASAN_OPTIONS=abort_on_error=1,allocator_may_return_null=0,detect_leaks=0
UBSAN_OPTIONS=print_stacktrace=1 ./src/convert/wmf2fig AAAAAA....AAAA.wmf


*Output:*

wmf.c:110:11: runtime error: left shift of 1 by 31 places cannot be
represented in type 'int'

    #0 0xaaaac5564d74 in wmf_api_create /root/libwmf/src/wmf.c:110:11

    #1 0xaaaac554c874 in wmf2fig_draw
/root/libwmf/src/convert/wmf2fig.c:118:8

    #2 0xaaaac555b4a0 in wmf2fig_file
/root/libwmf/src/convert/wmf2fig.c:479:11

    #3 0xaaaac555bd3c in main /root/libwmf/src/convert/wmf2fig.c:498:33

    #4 0xffff9afc2290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

    #5 0xffff9afc2374 in __libc_start_main csu/../csu/libc-start.c:360:3

    #6 0xaaaac546d2ac in _start (/root/libwmf/src/convert/wmf2fig+0xdd2ac)
(BuildId: a39ad033766fcd9a1723b20e5eb94936b2d83e67)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ