KLA11064
Multiple vulnerabilities in IrfanView

Multiple serious vulnerabilities have been found in IrfanView 4.44. Malicious users can exploit these vulnerabilities to cause a denial of service or execute arbitrary code.

Below is a complete list of vulnerabilities:

1. An integer overflow vulnerability in the JPEG 2000 parser can be exploited remotely via a specially designed JPEG 2000 image to execute arbitrary code;
2. Multiple buffer overflow vulnerabilities can be exploited locally via specially designed *.rle files to cause a denial of service or execute arbitrary code;
3. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.47 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
4. A buffer overflow vulnerability related to «Data from Faulting Address controls Branch Selection starting at USER32!wvsprintfA+0x00000000000002f3.» issue can be exploited locally via a specially designed file to execute arbitrary code;
5. A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.45 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
6. A buffer overflow vulnerability can be exploited locally via specially designed *.mov files to execute arbitrary code;
7. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
8. A buffer overflow vulnerability in Irfan View 4.44 with FPX Plugin 4.46 can be exploited locally via specially designed *.fpx files to cause a denial of service or execute arbitrary code;
9. Multiple buffer overflow vulnerabilities in Irfan View 4.44 with TOOLS Plugin 4.50 can be exploited locally via specially designed files to cause a denial of service or execute arbitrary code;
10. Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.svg file to cause a denial of service;
11. A buffer overflow vulnerability can be exploited locally via a specially designed *.ani file to cause a denial of service;
12. A buffer overflow vulnerability can be exploited locally via a specially designed *.djvu file to cause a denial of service;
13. Multiple buffer overflow vulnerabilities can be exploited locally via a specially designed *.pdf file to cause a denial of service and execute arbitrary code;
14. A buffer overflow vulnerability can be exploited locally via a specially designed *.tif file to cause a denial of service.

Technical details

Vulnerability (1) occurs while viewing image in IrfanView or by using its thumbnailing feature.

Vulnerabilities (2) are related to:

1. «User Mode Write AV starting at ntdll_77df0000!RtlpWaitOnCriticalSection+0x0000000000000121.»
2. «User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d96.»
3. «User Mode Write AV starting at FORMATS!GetPlugInInfo+0x0000000000007d80.»
4. «Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpAllocateHeap+0x0000000000000429.»
5. «Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.»
6. «Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpEnterCriticalSectionContended+0x0000000000000031.»
7. «Invalid Handle starting at wow64!Wow64NotifyDebugger+0x000000000000001d.»
8. «Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x00000000000003ca.»

Vulnerabilities (3) are related to:

«User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.»
«Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.»
«User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a529.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b3ae.»
«Read Access Violation starting at wow64!Wow64NotifyDebugger+0x000000000000001d.»

Vulnerability (6) exists because of a User Mode Write AV near NULL.

Vulnerabilities (7) are related to:

«User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000000f53.»
«User Mode Write AV starting at FPX+0x000000000000176c.»
«User Mode Write AV starting at FPX+0x0000000000001555.»
«User Mode Write AV starting at FPX!DE_Decode+0x0000000000000a9b.»
«User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000017426.»
«User Mode Write AV starting at FPX!GetPlugInInfo+0x0000000000016e53.»
«Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014eb.»
«Read Access Violation on Control Flow starting at FPX!GetPlugInInfo+0x0000000000012bf2.»
«User Mode Write AV starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007822.»
«User Mode Write AV starting at FPX!DE_Decode+0x0000000000000cdb.»
«Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c995.»
«Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c998.»
«Read Access Violation on Control Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000c99a.»
«Data from Faulting Address controls subsequent Write Address starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000a525.»
«Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007236.»
«Data from Faulting Address controls Code Flow starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000014e7.»
«Read Access Violation on Block Data Move starting at FPX!FPX_GetScanDevicePropertyGroup+0x000000000000b84f.»
Data from Faulting Address controls Code Flow starting at FPX+0x0000000000007216
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpCoalesceFreeBlocks+0x00000000000001b6.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000006a98.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpLowFragHeapFree+0x000000000000001f.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX+0x000000000000688d.»
«Data from Faulting Address controls Branch Selection starting at FPX!FPX_GetScanDevicePropertyGroup+0x00000000000031a0.»
«Read Access Violation starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000003714.»
«Read Access Violation starting at FPX+0x000000000000153a.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at FPX!FPX_GetScanDevicePropertyGroup+0x0000000000007053.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlpFreeHeap+0x0000000000000393.»

Vulnerabilities (9) are related to:

«Read Access Violation on Block Data Move starting at ntdll_77df0000!memcpy+0x0000000000000033.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!RtlFreeHandle+0x00000000000001b6.»
«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at ntdll_77df0000!RtlFreeHandle+0x0000000000000218.»
«Data from Faulting Address controls Branch Selection starting at.» KERNELBASE!QueryOptionalDelayLoadedAPI+0x0000000000000c42.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResCompareResourceNames+0x0000000000000087.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResSearchResourceInsideDirectory+0x000000000000029e.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpResGetMappingSize+0x00000000000003cc.»
«Data from Faulting Address controls Branch Selection starting at ntdll_77df0000!LdrpCompareResourceNames_U+0x0000000000000062.»

Vulnerabilities (10) are related to:

«Data from Faulting Address controls Branch Selection starting at image00000000_00400000+0x000000000011d767.»
«Data from Faulting Address controls Branch Selection starting at CADIMAGE+0x000000000001f23e.»

Vulnerability (11) related to «Data from Faulting Address controls Branch Selection starting at ntdll_77130000!RtlpCoalesceFreeBlocks+0x00000000000004b4.»

Vulnerability (12) related to «Data from Faulting Address controls Branch Selection starting at DJVU!GetPlugInInfo+0x000000000001c613.»

Vulnerabilities 10-12 affect only 32-bit version of IrfanView.

Vulnerability (13) related to:

«Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x000000000009174a.»
«Read Access Violation starting at PDF!xmlParserInputRead+0x0000000000161a9c.»
«Data from Faulting Address controls Branch Selection starting at PDF!xmlParserInputRead+0x000000000011624a.»
«Data from Faulting Address may be used as a return value starting at PDF!xmlParserInputRead+0x0000000000129a59.»
«Possible Stack Corruption starting at PDF!xmlGetGlobalState+0x0000000000057b35.»
«Data from Faulting Address controls Code Flow starting at PDF!xmlParserInputRead+0x0000000000048d0c.»
«Data from Faulting Address controls Branch Selection starting at PDF!xmlListWalk+0x00000000000166c4.»

Vulnerability (14) related to:

«Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at image00000000_00400000+0x00000000000236e4.»

NB: Not every vulnerability already has CVSS rating, so cumulative CVSS rating can be not representative.

IrfanView version 4.44

Update to the latest version
IrfanView — Official Homepage