IrfanView (4.27 - 4.32) JPEG 2000 Multi-Layer Image Format (JPM) Multiple Vulnerabilities
fuzzing, security, blackbox, tests, i_view32.exe, DoS, JPM
IrfanView (4.27 - 4.32) JPEG 2000 Multi-Layer Image Format (JPM) Multiple Vulnerabilities
FMA-2011-001
IrfanView
4.27 - 4.32
http://www.irfanview.com
i_view32.exe
4.32
89804B494D19D98BF54F9365909E626A
Windows XP SP3 Home Edition
Windows XP SP3 Professional Edition
Windows 7 SP1 Home Premium
2011.01.13
2012.02.22
2012.03.11
Integer division by zero in JPM.dll module (version 4.32) during processing of malformed JPM file.
DoS
Integer division by zero in module JPM.dll at address 0x10056886 (JPM.dll is loaded at 0x10000000).
Integer division by zero exception.
10056872 33D2 XOR EDX,EDX
10056874 8A1430 MOV DL,BYTE PTR DS:[EAX+ESI]
10056877 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
1005687B 8BFA MOV EDI,EDX
1005687D 8B50 20 MOV EDX,DWORD PTR DS:[EAX+20]
10056880 8D4417 FF LEA EAX,DWORD PTR DS:[EDI+EDX-1]
10056884 33D2 XOR EDX,EDX
10056886 F7F7 DIV EDI ; Integer division by zero
10056888 33D2 XOR EDX,EDX
image01s.png
100
68
image01.png
Integer division by zero at address 0x10056886
Integer division by zero at address 0x10056886
Integer division by zero in JPM.dll module (version 4.32) during processing of malformed JPM file.
DoS
Integer division by zero in module JPM.dll at address 0x100568A2 (JPM.dll is loaded at 0x10000000).
Integer division by zero exception.
10056888 33D2 XOR EDX,EDX
1005688A 8941 F8 MOV DWORD PTR DS:[ECX-8],EAX
1005688D 8B43 30 MOV EAX,DWORD PTR DS:[EBX+30]
10056890 8A1430 MOV DL,BYTE PTR DS:[EAX+ESI]
10056893 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
10056897 8BFA MOV EDI,EDX
10056899 8B50 24 MOV EDX,DWORD PTR DS:[EAX+24]
1005689C 8D4417 FF LEA EAX,DWORD PTR DS:[EDI+EDX-1]
100568A0 33D2 XOR EDX,EDX
100568A2 F7F7 DIV EDI ; Integer division by zero
100568A4 33D2 XOR EDX,EDX
image02s.png
100
68
image02.png
Integer division by zero at address 0x100568A2
Integer division by zero at address 0x100568A2
Access violation when reading in JPM.dll module (version 4.32) during processing of malformed JPM file.
DoS
Exception in caused by reading DWORD value from address 0xF00DBAAD, which is not valid.
Access violation exception at address 0x100503B6.
100503AC 8BF2 MOV ESI,EDX
100503AE 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
100503B2 8B43 1C MOV EAX,DWORD PTR DS:[EBX+1C]
100503B5 51 PUSH ECX
100503B6 8B0CA8 MOV ECX,DWORD PTR DS:[EAX+EBP*4] ; Read from invalid pointer
100503B9 8D5424 34 LEA EDX,DWORD PTR SS:[ESP+34]
100503BD 52 PUSH EDX
100503BE 8B53 20 MOV EDX,DWORD PTR DS:[EBX+20]
image03s.png
100
68
image03.png
Access violation exception at address 0x100503B6
Access violation exception at address 0x100503B6
Access violation when writing in JPM.dll module (version 4.32) during processing of malformed JPM file.
MemC
Exception is caused by write BYTE value at invalid offset calculated in allocated buffer.
Access violation exception at address 0x10013C96
10013C82 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; offset
10013C85 03C2 ADD EAX,EDX ; buffer address
10013C87 3BE9 CMP EBP,ECX
10013C89 8BD5 MOV EDX,EBP
10013C8B 73 1A JNB SHORT 10013CA7
10013C8D 8A4E 10 MOV CL,BYTE PTR DS:[ESI+10]
10013C90 8808 MOV BYTE PTR DS:[EAX],CL
10013C92 8A4E 11 MOV CL,BYTE PTR DS:[ESI+11]
10013C95 40 INC EAX
10013C96 8808 MOV BYTE PTR DS:[EAX],CL ; write byte at calculated address
10013C98 8A4E 12 MOV CL,BYTE PTR DS:[ESI+12]
image04s.png
100
68
image04.png
Access violation exception at address 0x10013C96
Access violation exception at address 0x10013C96
Access violation when writing in JPM.dll module (version 4.32) during processing of malformed JPM file.
MemC
Exception is caused by write BYTE value at invalid offset calculated in allocated buffer.
Access violation exception at address 0x10013C9C
10013C82 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; offset
10013C85 03C2 ADD EAX,EDX ; buffer address
10013C87 3BE9 CMP EBP,ECX
10013C89 8BD5 MOV EDX,EBP
10013C8B 73 1A JNB SHORT 10013CA7
10013C8D 8A4E 10 MOV CL,BYTE PTR DS:[ESI+10]
10013C90 8808 MOV BYTE PTR DS:[EAX],CL
10013C92 8A4E 11 MOV CL,BYTE PTR DS:[ESI+11]
10013C95 40 INC EAX
10013C96 8808 MOV BYTE PTR DS:[EAX],CL
10013C98 8A4E 12 MOV CL,BYTE PTR DS:[ESI+12]
10013C9B 40 INC EAX
10013C9C 8808 MOV BYTE PTR DS:[EAX],CL ; write byte at calculated address
image05s.png
100
68
image05.png
Access violation exception at address 0x10013C9C
Access violation exception at address 0x10013C9C
Access violation when reading in JPM.dll module (version 4.32) during processing of malformed JPM file.
DOS
Exception is caused by read DWORD value at invalid address.
Access violation exception at address 0x1001F759
1001F751 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ; get buffer pointer
1001F755 85C0 TEST EAX,EAX
1001F757 74 09 JE SHORT 1001F762
1001F759 8338 00 CMP DWORD PTR DS:[EAX],0 ; cmp
image06s.png
100
68
image06.png
Access violation exception at address 0x1001F759
Access violation exception at address 0x1001F759
Access violation when writing in JPM.dll module (version 4.32) during processing of malformed JPM file.
DOS
Exception is caused by write DWORD value at invalid address.
Access violation exception at address 0x1001EBA7
1001EBA4 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4] ; pointer to output buffer
1001EBA7 890482 MOV DWORD PTR DS:[EDX+EAX*4],EAX ; calculate offset in buffer and write DWORD
image07s.png
100
68
image07.png
Access violation exception at address 0x1001EBA7
Access violation exception at address 0x1001EBA7
Code execution in JPM.dll module (version 4.32) during processing of malformed JPM file.
LCE
Code execution is redirected to heap allocated buffer, and execution starts there.
Access violation exception at address 0x
image08s.png
100
68
image08.png
Access violation exception at address 0x
Access violation exception at address 0x