IrfanView 4.27 - 4.32 ICO (Icon File) Denial of Service Vulnerability fuzzing, security, blackbox, tests, i_view32.exe, DoS, ICO FMA-2011-013 IrfanView 4.27 - 4.32 http://www.irfanview.com i_view32.exe 4.32 89804B494D19D98BF54F9365909E626A Windows XP SP3 Home Edition Windows XP SP3 Professional Edition Windows 7 SP1 Home Premium 2011.04.07 2012.03.19 2012.04.11 Denial of Service vulnerability caused by invalid pointer dereference. DoS IrfanView does not properly validate data read form ICO header properties. Application indentifies malformed samples as incorrect ICO files, which is a valid assumption, and executes vulnerable function with invalid arguments. Function starting at 0x00016690 (main module RVA) takes two arguments: buffer address and offset in it. It is possible to enforce invalid values to be passed as arguments (invalid pointer), which will lead to IrfanView Denial of Service. The same issue exists for both types of ICO files: with and without transparent color. FuzzMyApp has indentified 14 vulnerable samples for ICO with transparent color, and 14 for ICO without transparent color. Access violation exception when reading byte value from invalid address. 00416690 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] 00416694 B2 80 MOV DL,80 00416696 8AC8 MOV CL,AL 00416698 53 PUSH EBX 00416699 80E1 07 AND CL,7 0041669C D2EA SHR DL,CL 0041669E 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] 004166A2 C1E8 03 SHR EAX,3 004166A5 8A1C08 MOV BL,BYTE PTR DS:[EAX+ECX] ; ready byte from invalid pointer 004166A8 22D3 AND DL,BL 004166AA 5B POP EBX 004166AB F6DA NEG DL 004166AD 1BD2 SBB EDX,EDX 004166AF F7DA NEG EDX 004166B1 8BC2 MOV EAX,EDX 004166B3 C3 RETN image01s.png 100 67 image01.png Access violation exception when reading byte value from invalid address. Access violation exception when reading byte value from invalid address.