An IrfanView screenshot. The JP2 plug-in for the IrfanView application has been updated to address an integer overflow error that can ultimately lead to remote code execution.
An IrfanView screenshot. The JP2 plug-in for the IrfanView application has been updated to address an integer overflow error that can ultimately lead to remote code execution.

The jpeg2000 (JP2) plug-in for the Windows-based image viewing and editing application IrfanView has been updated to address a vulnerability that can lead to arbitrary code execution, Cisco's Talos division has reported.

Discovered by Talos researcher Aleksandar Nikolic and officially designated CVE-2017-2813, the bug is an integer overflow error that results in a wrong memory allocation, which can then be exploited to perform code execution. 

"This vulnerability is specifically related to the way in which the plug-in leverages the reference tile width value in a buffer size allocation," Talos explains in the post. "There are insufficient checks being done which can result in a small buffer being allocated for a large tile. This results in a controlled out-of-bounds write vulnerability.

The vulnerability is triggered when the user views an image in the application or uses the application's thumbnailing feature, Talos notes.

The latest, patched version of the IrfanView plug-in is available via the IrfanView website.

"The problem is not in IrfanView itself; it is in an external third-party plugin," said InfanView creator Irfan Skiljan, in comments sent to SC Media. "Most users do not install plugins, so the problem is not affecting many IrfanView users."