Inside the Windows Meta File Format
AnimatePalette
SetPaletteEntries
PolyPolygon
DIBBitBlt
DIBStretchBlt
CreateDIBPatternBrush
CreatePalette
CreatePatternBrush
In fact, the CreateRectRgn function was also vulnerable, but an attack against this would require a file
that was one gigabyte in size.
In addition to the denial-of-service attacks described above, at least 14 functions are known to be vul-
nerable to conditions that cause Internet Explorer on all platforms, and Windows Explorer on
Windows XP (including SP2), to crash instantly upon opening malformed files. The vulnerable
functions are the same as those listed for the buffer overflow functions above, including the
CreateRectRgn function, with the addition of the following functions:
SetBkMode
TextOutA
BitBlt
StretchBlt
ExtTextOutA
SetDIBitsToDevice
StretchDIBits
[W]ant [M]ore [F]reedom
One function is of particular interest in WMF format: the Escape function. The Escape function
enables applications to bypass the GDI layer, and communicate directly with a particular device. This
communication is intended to be directed to a printer, but the display device will accept some
of the commands too.
The Escape function supports a number of subfunctions, most of which are related to printer control,
such as StartDoc and StartPage, and the corresponding EndDoc and EndPage. Not surprisingly, at
least three of these subfunctions contain bugs.
The bugs appear if a non-placeable WMF calls the StartDoc (3 or 4110) or StartPage (10) subfunction
before any call is made to CreateDC(). This is possible in Windows Explorer on Windows XP, for exam-
ple, because there the created device context is compatible with both printer and display devices. The
result is that the viewing application will crash. In order to attack the Windows XP platform, where
the GDI+ layer exists, the minimum file length is 62 bytes.
Finally, we reach the most trusting part of the WMF format parser, which is the cause of most of the
trouble: the SetAbortProc WMF subfunction.
7
