IrfanView 4.35 - DCX (Multipage PCX) Denial of Service Vulnerability
fuzzing, security, blackbox, tests, IrfanView, DoS, DCX, Multipage PCX
IrfanView 4.35 - DCX (Multipage PCX) Denial of Service Vulnerability
FMA-2012-028
IrfanView
4.3.5
http://www.irfanview.com
i_view32.exe
4.3.5.0
37C340F0FCC41DCCD2B70532C36E38AB
Windows 7 Home Premium
2012.09.17
2013.03.27
2013.05.27
DCX loading Denial of Service vulnerability.
DoS
IrfanView does not properly sanitize values read from DCX file header. Invalid image size values (XStart, YStart, XEnd, YEnd) can lead to Denial of Service.
Access violation exception.
0040E422 |> /8B7424 14 /MOV ESI,DWORD PTR SS:[LOCAL.294]
0040E426 |. |8B7C24 1C |MOV EDI,DWORD PTR SS:[LOCAL.292]
0040E42A |> |8B4C24 10 |MOV ECX,DWORD PTR SS:[LOCAL.295]
0040E42E |. |51 |PUSH ECX ; /Arg4
0040E42F |. |56 |PUSH ESI ; |Arg3
0040E430 |. |6A 01 |PUSH 1 ; |Arg2 = 1
0040E432 |. |55 |PUSH EBP ; |Arg1
0040E433 |. |E8 63520F00 |CALL 0050369B ; \i_view32.0050369B
0040E438 |. |8B4424 34 |MOV EAX,DWORD PTR SS:[LOCAL.290]
0040E43C |. |83C4 10 |ADD ESP,10
0040E43F |. |3BC7 |CMP EAX,EDI
0040E441 |. |7D 14 |JGE SHORT 0040E457
0040E443 |. |8B5424 28 |MOV EDX,DWORD PTR SS:[LOCAL.289]
0040E447 |. |8D72 FE |LEA ESI,[EDX-2]
0040E44A |> |8A0C28 |/MOV CL,BYTE PTR DS:[EBP+EAX] ; [www.FuzzMyApp.com] EAX = XEnd - XStart
0040E44D |. |880E ||MOV BYTE PTR DS:[ESI],CL
0040E44F |. |83C6 03 ||ADD ESI,3
0040E452 |. |40 ||INC EAX
0040E453 |. |3BC7 ||CMP EAX,EDI
0040E455 |.^|7C F3 |\JL SHORT 0040E44A
0040E457 |> |8B7C24 30 |MOV EDI,DWORD PTR SS:[LOCAL.287]
image01s.png
100
56
image01.png
IrfanView 4.35 - DCX parsing Denial of Service.
IrfanView 4.35 - DCX parsing Denial of Service.