Vulnerability Spotlight: IrfanView Jpeg2000 Reference Tile width Arbitrary Code Execution Vulnerability
Discovered by Aleksandar Nikolic of Cisco Talos
Talos is disclosing TALOS-2017-0310 / CVE-2017-2813, an arbitrary code execution vulnerability in the JP2 plugin for IrfanView image viewer. IrfanView is a widely used, Windows based, image viewing and editing application.
This particular vulnerability is in the jpeg2000 plugin (JP2) for IrfanView resulting in an integer overflow which leads to a wrong memory allocation and eventual arbitrary code execution. This vulnerability is specifically related to the way in which the plugin leverages the reference tile width value in a buffer size allocation. There are insufficient checks being done which can result in a small buffer being allocated for a large tile. This results in a controlled out of bounds write vulnerability. This out of bounds write bug can be further leveraged to achieve code execution in the application. This vulnerability can be triggered by either viewing an image in the application or by using the thumb nailing feature of IrfanView.