CVE-2021-27362

An attacker crafts a malicious WPG file that triggers a read access violation when parsed by IrfanView's WPG.DLL plugin. The vulnerability is triggered when the user opens the crafted WPG file in IrfanView. The decompiled code shows that the write routine `sub_7C42E78` computes buffer offsets using attacker-controlled dimensions and bit-depth values without validating that the resulting offset stays within allocated memory, leading to a read from unallocated or freed memory [ref_id=1].

The vulnerability resides in the WPG.DLL plugin (version before 3.1.0.0) for IrfanView 4.57. The crash occurs in the function `ReadWPG_W+0x133` (as referenced in the CVE description), which corresponds to the decompiled function `sub_7C42E78` that writes pixel data into a buffer. The caller function `sub_7C4326C` invokes this write routine in a loop without proper bounds checking [ref_id=1].

The advisory does not provide a patch diff. The vendor recommendation is to upgrade to the latest available version of the WPG plugin (3.1.0.0 or later) which patches the security issues [ref_id=1]. No specific fix details are published in the available reference materials.