The integer overflow can be triggered via a WMF file containing a specially crafted
PolyPolygon record that specifies an overly large number of points. Attacker-controlled
data will be written past the end of an under-sized heap buffer, ultimately triggering
an access violation that will be handled by an exception handler.
The data written beyond the end of the allocated buffer is influenced by the attacker,
but only the lower 16-bits of each 32-bit word can be controlled and the upper bits will
be either all zeroes or all ones. As the attacker cannot specify a usable address, it
appears unlikely that code execution would be possible, however, it cannot be completely
ruled out.