WinImage 8.10 and earlier allows remote attackers to cause a denial of service (infinite loop) via an invalid BPB_BytsPerSec field in the header of a .IMG file.
https://exchange.xforce.ibmcloud.com/vulnerabilities/36669
http://www.securityfocus.com/archive/1/479695/100/0/threaded