CVE-2020-23546: 
IrfanView vulnerability analysis and mitigation

IrfanView 4.54 was discovered to contain a denial of service vulnerability when processing XBM files. The vulnerability is tracked as CVE-2020-23546 and affects the FORMATS.dll plugin component of IrfanView. The issue was identified in 2020 and relates to improper handling of data from faulting addresses that are subsequently used in function calls starting at FORMATS!ReadMosaic+0x981 (Github Research).

The vulnerability exists in the way IrfanView processes XBM files, specifically in the FORMATS!ReadMosaic+0x981 function where data from a faulting address (dcd9deb4) is used as an argument in subsequent function calls. The technical trace shows the vulnerability manifests at: FORMATS!ReadMosaic+0x981: 10003171 8a91e8110d10 mov dl,byte ptr FORMATS!GetPlugInInfo+0x9b0b8 (Github Research).

The vulnerability could allow attackers to cause a denial of service condition or potentially have other unspecified impacts on the affected system when processing specially crafted XBM files (NVD).

The vendor has fixed this vulnerability in updated versions of the FORMATS plugin. Users should update to the latest version of IrfanView and its plugins. The fix is available through the official IrfanView plugin download page (IrfanView Plugins).