IrfanView (4.28 - 4.32) Enhanced Metafile (EMF) Multiple Vulnerabilities
fuzzing, security, blackbox, tests, i_view32.exe, DoS, EMF
IrfanView (4.28 - 4.32) Enhanced Metafile (EMF) Multiple Vulnerabilities
FMA-2011-003
IrfanView
4.32
http://www.irfanview.com
i_view32.exe
4.3.2.0
89804B494D19D98BF54F9365909E626A
Windows XP SP3 Home Edition
Windows XP SP3 Professional Edition
Windows7 SP1 Home Premium
2011.01.06
2012.02.20
2012.07.10
Insufficient Enhanced Metafile header property 'WidthDevMM' validation leads to Denial of Service.
DoS
Denial of Service is caused by unhandled exception raised by integer division by zero at address 0x40b93e.
Integer division by zero in i_view32.exe module at address 0x40b93e.
0040B909 50 PUSH EAX
0040B90A 6A 6C PUSH 6C
0040B90C 51 PUSH ECX
0040B90D C74424 14 6C000>MOV DWORD PTR SS:[ESP+14],6C
0040B915 FF15 64505000 CALL DWORD PTR DS:[505064] ; GDI32.GetEnhMetaFileHeader
0040B91B 85C0 TEST EAX,EAX
0040B91D 74 2A JE SHORT i_view32.0040B949
0040B91F 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
0040B923 8B7C24 1C MOV EDI,DWORD PTR SS:[ESP+1C]
0040B927 8B4C24 54 MOV ECX,DWORD PTR SS:[ESP+54]
0040B92B 2BC7 SUB EAX,EDI
0040B92D 0FAF4424 4C IMUL EAX,DWORD PTR SS:[ESP+4C]
0040B932 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
0040B935 33D2 XOR EDX,EDX
0040B937 5F POP EDI
0040B938 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
0040B93B C1E1 02 SHL ECX,2
0040B93E F7F1 DIV ECX ; [FuzzMyApp.com] Integer division by zero exception
0040B940 99 CDQ
0040B941 33C2 XOR EAX,EDX
0040B943 2BC2 SUB EAX,EDX
0040B945 83C4 6C ADD ESP,6C
0040B948 C3 RETN
image01s.png
100
69
image01.png
Integer division by zero exception
Integer division by zero exception
Insufficient Enhanced Metafile header property 'HeightDevMM' validation leads to IrfanView Denial of Service.
DoS
Denial of Service is caused by unhandled exception raised by integer division by zero at address 0x40b99e.
Integer division by zero in i_view32.exe module at address 0x40b93e.
0040B969 50 PUSH EAX
0040B96A 6A 6C PUSH 6C
0040B96C 51 PUSH ECX
0040B96D C74424 14 6C000>MOV DWORD PTR SS:[ESP+14],6C
0040B975 FF15 64505000 CALL DWORD PTR DS:[505064] ; GDI32.GetEnhMetaFileHeader
0040B97B 85C0 TEST EAX,EAX
0040B97D 74 2A JE SHORT i_view32.0040B9A9
0040B97F 8B4424 28 MOV EAX,DWORD PTR SS:[ESP+28]
0040B983 8B7C24 20 MOV EDI,DWORD PTR SS:[ESP+20]
0040B987 8B4C24 58 MOV ECX,DWORD PTR SS:[ESP+58]
0040B98B 2BC7 SUB EAX,EDI
0040B98D 0FAF4424 50 IMUL EAX,DWORD PTR SS:[ESP+50]
0040B992 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
0040B995 33D2 XOR EDX,EDX
0040B997 5F POP EDI
0040B998 8D0C89 LEA ECX,DWORD PTR DS:[ECX+ECX*4]
0040B99B C1E1 02 SHL ECX,2
0040B99E F7F1 DIV ECX ; [FuzzMyApp.com] Integer division by zero exception
0040B9A0 99 CDQ
0040B9A1 33C2 XOR EAX,EDX
0040B9A3 2BC2 SUB EAX,EDX
0040B9A5 83C4 6C ADD ESP,6C
0040B9A8 C3 RETN
image02s.png
100
69
image02.png
Integer division by zero exception
Integer division by zero exception