IrfanView (4.27 - 4.32) JPEG 2000 Multi-Layer Image Format (JPM) Multiple Vulnerabilities

IrfanView (4.27 - 4.32) JPEG 2000 Multi-Layer Image Format (JPM) Multiple Vulnerabilities fuzzing, security, blackbox, tests, i_view32.exe, DoS, JPM IrfanView (4.27 - 4.32) JPEG 2000 Multi-Layer Image Format (JPM) Multiple Vulnerabilities FMA-2011-001 IrfanView 4.27 - 4.32 http://www.irfanview.com i_view32.exe 4.32 89804B494D19D98BF54F9365909E626A Windows XP SP3 Home Edition Windows XP SP3 Professional Edition Windows 7 SP1 Home Premium 2011.01.13 2012.02.22 2012.03.11 Integer division by zero in JPM.dll module (version 4.32) during processing of malformed JPM file. DoS Integer division by zero in module JPM.dll at address 0x10056886 (JPM.dll is loaded at 0x10000000). Integer division by zero exception. 10056872 33D2 XOR EDX,EDX 10056874 8A1430 MOV DL,BYTE PTR DS:[EAX+ESI] 10056877 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24] 1005687B 8BFA MOV EDI,EDX 1005687D 8B50 20 MOV EDX,DWORD PTR DS:[EAX+20] 10056880 8D4417 FF LEA EAX,DWORD PTR DS:[EDI+EDX-1] 10056884 33D2 XOR EDX,EDX 10056886 F7F7 DIV EDI ; Integer division by zero 10056888 33D2 XOR EDX,EDX image01s.png 100 68 image01.png Integer division by zero at address 0x10056886 Integer division by zero at address 0x10056886 Integer division by zero in JPM.dll module (version 4.32) during processing of malformed JPM file. DoS Integer division by zero in module JPM.dll at address 0x100568A2 (JPM.dll is loaded at 0x10000000). Integer division by zero exception. 10056888 33D2 XOR EDX,EDX 1005688A 8941 F8 MOV DWORD PTR DS:[ECX-8],EAX 1005688D 8B43 30 MOV EAX,DWORD PTR DS:[EBX+30] 10056890 8A1430 MOV DL,BYTE PTR DS:[EAX+ESI] 10056893 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24] 10056897 8BFA MOV EDI,EDX 10056899 8B50 24 MOV EDX,DWORD PTR DS:[EAX+24] 1005689C 8D4417 FF LEA EAX,DWORD PTR DS:[EDI+EDX-1] 100568A0 33D2 XOR EDX,EDX 100568A2 F7F7 DIV EDI ; Integer division by zero 100568A4 33D2 XOR EDX,EDX image02s.png 100 68 image02.png Integer division by zero at address 0x100568A2 Integer division by zero at address 0x100568A2 Access violation when reading in JPM.dll module (version 4.32) during processing of malformed JPM file. DoS Exception is caused by reading DWORD value from address 0xF00DBAAD, which is not valid. Access violation exception at address 0x100503B6. 100503AC 8BF2 MOV ESI,EDX 100503AE 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18] 100503B2 8B43 1C MOV EAX,DWORD PTR DS:[EBX+1C] 100503B5 51 PUSH ECX 100503B6 8B0CA8 MOV ECX,DWORD PTR DS:[EAX+EBP*4] ; Read from invalid pointer 100503B9 8D5424 34 LEA EDX,DWORD PTR SS:[ESP+34] 100503BD 52 PUSH EDX 100503BE 8B53 20 MOV EDX,DWORD PTR DS:[EBX+20] image03s.png 100 68 image03.png Access violation exception at address 0x100503B6 Access violation exception at address 0x100503B6 Access violation when writing in JPM.dll module (version 4.32) during processing of malformed JPM file. MEM Exception is caused by writing BYTE value at invalid offset calculated in allocated buffer. Access violation exception at address 0x10013C96 10013C82 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; offset 10013C85 03C2 ADD EAX,EDX ; buffer address 10013C87 3BE9 CMP EBP,ECX 10013C89 8BD5 MOV EDX,EBP 10013C8B 73 1A JNB SHORT 10013CA7 10013C8D 8A4E 10 MOV CL,BYTE PTR DS:[ESI+10] 10013C90 8808 MOV BYTE PTR DS:[EAX],CL 10013C92 8A4E 11 MOV CL,BYTE PTR DS:[ESI+11] 10013C95 40 INC EAX 10013C96 8808 MOV BYTE PTR DS:[EAX],CL ; write byte at calculated address 10013C98 8A4E 12 MOV CL,BYTE PTR DS:[ESI+12] image04s.png 100 68 image04.png Access violation exception at address 0x10013C96 Access violation exception at address 0x10013C96 Access violation when writing in JPM.dll module (version 4.32) during processing of malformed JPM file. MEM Exception is caused by writing BYTE value at invalid offset calculated in allocated buffer. Access violation exception at address 0x10013C9C 10013C82 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; offset 10013C85 03C2 ADD EAX,EDX ; buffer address 10013C87 3BE9 CMP EBP,ECX 10013C89 8BD5 MOV EDX,EBP 10013C8B 73 1A JNB SHORT 10013CA7 10013C8D 8A4E 10 MOV CL,BYTE PTR DS:[ESI+10] 10013C90 8808 MOV BYTE PTR DS:[EAX],CL 10013C92 8A4E 11 MOV CL,BYTE PTR DS:[ESI+11] 10013C95 40 INC EAX 10013C96 8808 MOV BYTE PTR DS:[EAX],CL 10013C98 8A4E 12 MOV CL,BYTE PTR DS:[ESI+12] 10013C9B 40 INC EAX 10013C9C 8808 MOV BYTE PTR DS:[EAX],CL ; write byte at calculated address image05s.png 100 68 image05.png Access violation exception at address 0x10013C9C Access violation exception at address 0x10013C9C Access violation when reading in JPM.dll module (version 4.32) during processing of malformed JPM file. DoS Exception is caused by reading DWORD value at invalid address. Access violation exception at address 0x1001F759 1001F751 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ; get buffer pointer 1001F755 85C0 TEST EAX,EAX 1001F757 74 09 JE SHORT 1001F762 1001F759 8338 00 CMP DWORD PTR DS:[EAX],0 ; cmp image06s.png 100 68 image06.png Access violation exception at address 0x1001F759 Access violation exception at address 0x1001F759 Access violation when writing in JPM.dll module (version 4.32) during processing of malformed JPM file. DoS Exception is caused by writing DWORD value at invalid address. Access violation exception at address 0x1001EBA7 1001EBA4 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4] ; pointer to output buffer 1001EBA7 890482 MOV DWORD PTR DS:[EDX+EAX*4],EAX ; calculate offset in buffer and write DWORD image07s.png 100 68 image07.png Access violation exception at address 0x1001EBA7 Access violation exception at address 0x1001EBA7 Code execution in JPM.dll module (version 4.32) during processing of malformed JPM file. LCE Code execution is redirected to the heap, and execution starts there. Access violation exception at address 0x007F0069 image08s.png 100 68 image08.png Access violation exception at address 0x007F0069 Access violation exception at address 0x007F0069