IrfanView 4.27 - 4.32 ICO (Icon File) Denial of Service Vulnerability
fuzzing, security, blackbox, tests, i_view32.exe, DoS, ICO
IrfanView 4.27 - 4.32 ICO (Icon File) Denial of Service Vulnerability
FMA-2011-013
IrfanView
4.27 - 4.32
http://www.irfanview.com
i_view32.exe
4.32
89804B494D19D98BF54F9365909E626A
Windows XP SP3 Home Edition
Windows XP SP3 Professional Edition
Windows 7 SP1 Home Premium
2011.04.07
2012.03.19
2012.04.11
Denial of Service vulnerability caused by invalid pointer dereference.
DoS
IrfanView does not properly validate data read form ICO header properties. Application indentifies malformed samples as incorrect ICO files, which is a valid assumption, and executes vulnerable function with invalid arguments. Function starting at 0x00016690 (main module RVA) takes two arguments: buffer address and offset in it. It is possible to enforce invalid values to be passed as arguments (invalid pointer), which will lead to IrfanView Denial of Service. The same issue exists for both types of ICO files: with and without transparent color. FuzzMyApp has indentified 14 vulnerable samples for ICO with transparent color, and 14 for ICO without transparent color.
Access violation exception when reading byte value from invalid address.
00416690 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
00416694 B2 80 MOV DL,80
00416696 8AC8 MOV CL,AL
00416698 53 PUSH EBX
00416699 80E1 07 AND CL,7
0041669C D2EA SHR DL,CL
0041669E 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
004166A2 C1E8 03 SHR EAX,3
004166A5 8A1C08 MOV BL,BYTE PTR DS:[EAX+ECX] ; ready byte from invalid pointer
004166A8 22D3 AND DL,BL
004166AA 5B POP EBX
004166AB F6DA NEG DL
004166AD 1BD2 SBB EDX,EDX
004166AF F7DA NEG EDX
004166B1 8BC2 MOV EAX,EDX
004166B3 C3 RETN
image01s.png
100
67
image01.png
Access violation exception when reading byte value from invalid address.
Access violation exception when reading byte value from invalid address.