Bug#1107778: wvConvert Segmentation fault in wvGetGrpXst() for Invalid write at 0xfffffffffffffff8

[Gipoco]

Package: wv

Version: 1.2.9-5

Severity: grave

Justification: renders package unusable and may threaten users privacy if 
exploited

Run the following instructions on a Debian 12 64bit to trigger a SEGFAULT:

$ sudo apt-get update

$ sudo apt-get upgrade

$ sudo apt-get install wv

$ wvConvert z_wvGetGrpXst.dxx

(the proof-of-concept file is attached)

Error returned:

Errore di segmentazione

(it's the Italian for "segfault")

Valgrind output

[..]

==7692== Invalid write of size 8

==7692==    at 0x487F714: wvGetGrpXst (in 
/usr/lib/x86_64-linux-gnu/libwv-1.2.so.4.0.5)

==7692==    by 0x488B759: wvDecodeComplex (in 
/usr/lib/x86_64-linux-gnu/libwv-1.2.so.4.0.5)

==7692==    by 0x488C9FE: wvText (in 
/usr/lib/x86_64-linux-gnu/libwv-1.2.so.4.0.5)

==7692==    by 0x1093F3: ??? (in /usr/bin/wvConvert)

==7692==    by 0x4917249: (below main) (libc_start_call_main.h:58)

==7692==  Address 0xfffffffffffffff8 is not stack'd, malloc'd or (recently) 
free'd

GDB Backtrace

#0  0x00007ffff7f41714 in wvGetGrpXst () from 
/lib/x86_64-linux-gnu/libwv-1.2.so.4

#1  0x00007ffff7f4d75a in wvDecodeComplex () from 
/lib/x86_64-linux-gnu/libwv-1.2.so.4

#2  0x00007ffff7f4e9ff in wvText () from /lib/x86_64-linux-gnu/libwv-1.2.so.4

#3  0x00005555555553f4 in ?? ()

#4  0x00007ffff7d6a24a in __libc_start_call_main 
(main=main@entry=0x555555555210, argc=argc@entry=2,

argv=argv@entry=0x7fffffffe138) at ../sysdeps/nptl/libc_start_call_main.h:58

#5  0x00007ffff7d6a305 in __libc_start_main_impl (main=0x555555555210, argc=2, 
argv=0x7fffffffe138, init=<optimized out>,

fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe128) at 
../csu/libc-start.c:360

#6  0x00005555555555f1 in ?? ()

wv package depends on:

libc6

libglib2.0-0

libgsf-1-114

libwmf-0.2-7

libwmflite-0.2-7

libwv-1.2-4

Kernel/arch in use:

Linux debian-test 6.1.0-35-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.137-1 
(2025-05-07) x86_64 GNU/Linux

Hardware used in the test:

Intel Core i7 11700K

8Gb ram

(VM on Oracle Virtualbox on the host with 32Gb ram)

Best regards, Gipoco.

z_wvGetGrpXst.dxx
Description: Binary data