IrfanView (4.28 - 4.32) JPEG 2000 Multiple Vulnerabilities

IrfanView (4.28 - 4.32) JPEG 2000 Multiple Vulnerabilities fuzzing, security, blackbox, tests, i_view32.exe, DoS, JPEG2000, JP2 IrfanView (4.28 - 4.32) JPEG 2000 Multiple Vulnerabilities FMA-2011-003 IrfanView 4.32 http://www.irfanview.com i_view32.exe 4.3.2.0 89804B494D19D98BF54F9365909E626A JPEG2000.dll 4.3.2.0 F5A33CD65B2A1387C3D8591622D18A75 Windows XP SP3 Home Edition Windows XP SP3 Professional Edition Windows7 SP1 Home Premium 2011.01.08 2012.02.16 2012.03.25 Access violation exception triggered in JPEG2000.dll module, loaded at address 0x10000000. Access violation exception is caused by read dword operation from invalid address at 0x10011725. FuzzMyApp have indentified 1 vulnerable sample during fuzzing 'Lossless Compression' JP2000 samples, which triggers given vulnerability. LCE Access violation exception in JPEG2000.dll module at address 0x10008301. Access violation exception in JPEG2000.dll module at address 0x10008301. 10008301 8B06 MOV EAX,DWORD PTR DS:[ESI] ; ESI == 2 10008303 85C0 TEST EAX,EAX 10008305 75 04 JNZ SHORT 1000830B 10008307 5F POP EDI 10008308 5E POP ESI 10008309 5D POP EBP 1000830A C3 RETN 1000830B 8B6C24 1C MOV EBP,DWORD PTR SS:[ESP+1C] 1000830F 85ED TEST EBP,EBP 10008311 75 06 JNZ SHORT 10008319 10008313 5F POP EDI 10008314 5E POP ESI 10008315 33C0 XOR EAX,EAX 10008317 5D POP EBP 10008318 C3 RETN 10008319 8B7C24 18 MOV EDI,DWORD PTR SS:[ESP+18] 1000831D 3BFD CMP EDI,EBP 1000831F 7C 06 JL SHORT 10008327 10008321 5F POP EDI 10008322 5E POP ESI 10008323 33C0 XOR EAX,EAX 10008325 5D POP EBP 10008326 C3 RETN 10008327 85ED TEST EBP,EBP 10008329 53 PUSH EBX 1000832A 7F 04 JG SHORT 10008330 1000832C 33DB XOR EBX,EBX 1000832E EB 5D JMP SHORT 1000838D 10008330 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4] 10008333 51 PUSH ECX 10008334 8D55 08 LEA EDX,DWORD PTR SS:[EBP+8] 10008337 52 PUSH EDX 10008338 FFD0 CALL EAX ; we are controlling EAX, if we get here we have CE 1000833A 83C4 08 ADD ESP,8 1000833D 85C0 TEST EAX,EAX image01s.png 100 71 image01.png Access violation exception Access violation exception Denial of Service triggered in JPEG2000.dll module, loaded at address 0x10000000. Denial of Service is caused by integer division by zero at address 0x10010006. FuzzMyApp have indentified 15 vulnerable samples during fuzzing JPEG 2000 samples, which triggers given vulnerability. Same vulnerability exists for 'Lossless Compression' and '50% Compression' samples. DoS Integer division by zero in JPEG2000.dll module at address 0x10010006. Integer division by zero in JPEG2000.dll module at address 0x10010006. 1000FFFD 8B50 20 MOV EDX,DWORD PTR DS:[EAX+20] 10010000 8D4417 FF LEA EAX,DWORD PTR DS:[EDI+EDX-1] 10010004 33D2 XOR EDX,EDX 10010006 F7F7 DIV EDI ; integer division be zero 10010008 33D2 XOR EDX,EDX 1001000A 8941 F8 MOV DWORD PTR DS:[ECX-8],EAX 1001000D 8B43 30 MOV EAX,DWORD PTR DS:[EBX+30] image02s.png 100 71 image02.png Integer division by zero Integer division by zero Denial of Service triggered in JPEG2000.dll module, loaded at address 0x10000000. Denial of Service is caused by integer division by zero at address 0x10010022. FuzzMyApp have indentified 9 vulnerable samples during fuzzing JPEG 2000 samples, which triggers given vulnerability. Same vulnerability exists for 'Lossless Compression' and '50% Compression' samples. DoS Integer division by zero in JPEG2000.dll module at address 0x10010022. Integer division by zero in JPEG2000.dll module at address 0x10010022. 10010019 8B50 24 MOV EDX,DWORD PTR DS:[EAX+24] 1001001C 8D4417 FF LEA EAX,DWORD PTR DS:[EDI+EDX-1] 10010020 33D2 XOR EDX,EDX 10010022 F7F7 DIV EDI ; integer division by zero 10010024 33D2 XOR EDX,EDX 10010026 8941 FC MOV DWORD PTR DS:[ECX-4],EAX 10010029 8B43 2C MOV EAX,DWORD PTR DS:[EBX+2C] image03s.png 100 72 image03.png Integer division by zero Integer division by zero Access violation exception triggered in JPEG2000.dll module, loaded at address 0x10000000. Access violation exception is caused by read dword operation from invalid address at 0x10011725. FuzzMyApp have indentified 2 vulnerable samples during fuzzing '50% Compression' JP2000 samples, which triggers given vulnerability. MEM Access violation exception in JPEG2000.dll module at address 0x10011725. Access violation exception in JPEG2000.dll module at address 0x10011725. 10011721 8B5C24 20 MOV EBX,DWORD PTR SS:[ESP+20] 10011725 8B6B 10 MOV EBP,DWORD PTR DS:[EBX+10] ; read dword from invalid address 10011728 85ED TEST EBP,EBP 1001172A 75 29 JNZ SHORT 10011755 1001172C 892E MOV DWORD PTR DS:[ESI],EBP 1001172E 8B5B 04 MOV EBX,DWORD PTR DS:[EBX+4] 10011731 85DB TEST EBX,EBX 10011733 74 16 JE SHORT 1001174B 10011735 8B4C24 30 MOV ECX,DWORD PTR SS:[ESP+30] 10011739 50 PUSH EAX 1001173A 8B4424 28 MOV EAX,DWORD PTR SS:[ESP+28] 1001173E 50 PUSH EAX 1001173F 51 PUSH ECX 10011740 53 PUSH EBX 10011741 E8 1A74FFFF CALL 10008B60 10011746 83C4 10 ADD ESP,10 10011749 8906 MOV DWORD PTR DS:[ESI],EAX 1001174B 5F POP EDI 1001174C 5E POP ESI 1001174D 5D POP EBP 1001174E 33C0 XOR EAX,EAX 10011750 5B POP EBX 10011751 83C4 0C ADD ESP,0C 10011754 C3 RETN 10011755 8B5424 30 MOV EDX,DWORD PTR SS:[ESP+30] 10011759 8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24] 1001175D 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+C] 10011760 894424 10 MOV DWORD PTR SS:[ESP+10],EAX 10011764 895424 18 MOV DWORD PTR SS:[ESP+18],EDX 10011768 33D2 XOR EDX,EDX 1001176A 8BC6 MOV EAX,ESI 1001176C F7F1 DIV ECX 1001176E 33D2 XOR EDX,EDX image04s.png 100 57 image04.png Access violation exception Access violation exception Access violation exception triggered during processing malformed JPEG 2000 sample on Windows 7. Vulnerability could lead to code execution. LCE Access violation exception. Access violation exception. image05s.png 100 64 image05.png Access violation exception Access violation exception