An uninitialized heap variable vulnerability of XnView Classic

[TheCjw]

Hi,

An uninitialized heap variable vulnerability has been found in XnView Classic for Windows 2.49.2, which may cause some security impact.

System & Software setup:
- Windows 10 Pro 18363 x64/Windows Server 2019 Datacenter 17763 x64
- XnView Classic for Windows v2.49.2

Steps to reproduce:
1. Launch XnView with default config.
2. Navigate to some folder contains some image files.
3. Select one of them, press F11 to enter full screen mode.
4. Exit fullscreen preview via pressing Ctrl+W or 'close' item from popup menu.
5. XnView will crash immediately.

The crash info is(with page heap enabled):

Code: Select all

(62c.1540): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=4c4d4948 ebx=c0c0c0c0 ecx=c0c0c0bc edx=4c4d4948 esi=00000000 edi=012fefcc
eip=7128311c esp=012fef74 ebp=012fefa0 iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
COMCTL32!CImageListBase::IsValid+0x4c:
7128311c f00fb111        lock cmpxchg dword ptr [ecx],edx ds:002b:c0c0c0bc=????????
0:000> k
 # ChildEBP RetAddr  
00 012fefa0 712830a6 COMCTL32!CImageListBase::IsValid+0x4c
01 012fefb0 71282c58 COMCTL32!HIMAGELIST_QueryInterface+0x26
02 012fefe4 0096ac2d COMCTL32!ImageList_Destroy+0x28
WARNING: Stack unwind information not available. Following frames may be wrong.
03 012ff030 775b61bb xnview+0xcac2d
04 012ff05c 775a74dc USER32!_InternalCallWinProc+0x2b
05 012ff140 775a707a USER32!UserCallWinProcCheckWow+0x3ac
06 012ff1a4 775b360f USER32!DispatchClientMessage+0xea
07 012ff1e0 778a28ed USER32!__fnDWORD+0x3f

Here's a brief analysis of this vulnerability:
1. XnView creates a SysTreeView32 control at startup.
2. Then an heap object(size 0x4C) is created but didn't zero out.
3. The heap object will be associated with SysTreeView32 control with SetWindowLongA.
4. When user exits from full screen, a callback is triggered, it recovers the heap object via GetWindowLongA and invoke its member function.
5. The member function reads a variable from heap object, which is uninitialized. Then it calls ImageList_Destroy with the uninitialized value.

Thanks.

[xnview]

are you able to reproduce each time? I can't on Win10 Pro

[TheCjw]

Yes, it's stable on my machines, I used zip version with default config.

And I found an easy way to reproduce, just press Ctrl+W.

[xnview]

which formats do you have in this folder?