IrfanView 4.35 - DCX (Multipage PCX) Denial of Service Vulnerability fuzzing, security, blackbox, tests, IrfanView, DoS, DCX, Multipage PCX FMA-2012-028 IrfanView 4.3.5 http://www.irfanview.com i_view32.exe 4.3.5.0 37C340F0FCC41DCCD2B70532C36E38AB Windows 7 Home Premium 2012.09.17 2013.03.27 2013.05.27 DCX loading Denial of Service vulnerability. DoS IrfanView does not properly sanitize values read from DCX file header. Invalid image size values (XStart, YStart, XEnd, YEnd) can lead to Denial of Service. Access violation exception. 0040E422 |> /8B7424 14 /MOV ESI,DWORD PTR SS:[LOCAL.294] 0040E426 |. |8B7C24 1C |MOV EDI,DWORD PTR SS:[LOCAL.292] 0040E42A |> |8B4C24 10 |MOV ECX,DWORD PTR SS:[LOCAL.295] 0040E42E |. |51 |PUSH ECX ; /Arg4 0040E42F |. |56 |PUSH ESI ; |Arg3 0040E430 |. |6A 01 |PUSH 1 ; |Arg2 = 1 0040E432 |. |55 |PUSH EBP ; |Arg1 0040E433 |. |E8 63520F00 |CALL 0050369B ; \i_view32.0050369B 0040E438 |. |8B4424 34 |MOV EAX,DWORD PTR SS:[LOCAL.290] 0040E43C |. |83C4 10 |ADD ESP,10 0040E43F |. |3BC7 |CMP EAX,EDI 0040E441 |. |7D 14 |JGE SHORT 0040E457 0040E443 |. |8B5424 28 |MOV EDX,DWORD PTR SS:[LOCAL.289] 0040E447 |. |8D72 FE |LEA ESI,[EDX-2] 0040E44A |> |8A0C28 |/MOV CL,BYTE PTR DS:[EBP+EAX] ; [www.FuzzMyApp.com] EAX = XEnd - XStart 0040E44D |. |880E ||MOV BYTE PTR DS:[ESI],CL 0040E44F |. |83C6 03 ||ADD ESI,3 0040E452 |. |40 ||INC EAX 0040E453 |. |3BC7 ||CMP EAX,EDI 0040E455 |.^|7C F3 |\JL SHORT 0040E44A 0040E457 |> |8B7C24 30 |MOV EDI,DWORD PTR SS:[LOCAL.287] image01s.png 100 56 image01.png IrfanView 4.35 - DCX parsing Denial of Service. IrfanView 4.35 - DCX parsing Denial of Service.