From 8a8e41875171f115c7b97608a8b7625787b48b47 Mon Sep 17 00:00:00 2001 From: Pete Batard Date: Tue, 9 Apr 2024 00:09:21 +0200 Subject: [PATCH] [iso] fix a buffer overflow in iso9660/iso9660_fs.c * Whereas the length of the buffer allocated for the UTF-8 filename string is the same length as the UCS-2 (which means it can store twice as many UTF-8 bytes as there are characters in the filename), it is still possible for the converted UTF-8 string to overflow this buffer if the name contains glyphs that use 3 or 4-byte sequences. * As a result, use strncpy with the actual size of the UTF-8 filename buffer (the following bytes are calloc'd to zero so the truncated string will be NUL terminated) and produce a warning if the filename is truncated. * Vulnerability discovered and reported by Mansour Gashasbi (@gashasbi). --- src/libcdio/iso9660/iso9660_fs.c | 7 +++++-- src/rufus.rc | 10 +++++----- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/libcdio/iso9660/iso9660_fs.c b/src/libcdio/iso9660/iso9660_fs.c index b6e66a99..d5931509 100644 --- a/src/libcdio/iso9660/iso9660_fs.c +++ b/src/libcdio/iso9660/iso9660_fs.c @@ -865,8 +865,11 @@ _iso9660_recname_to_cstring(const char *src, size_t src_len, cdio_utf8_t *p_psz_out = NULL; if (cdio_charset_to_utf8(src, i_inlen, &p_psz_out, "UCS-2BE")) { - if (cpy_result != NULL) - strcpy(cpy_result, p_psz_out); + if (cpy_result != NULL) { + strncpy(cpy_result, p_psz_out, i_inlen); + if (strlen(p_psz_out) > i_inlen) + cdio_warn("file name '%s' will be truncated", p_psz_out); + } if (alloc_result != NULL) *alloc_result = p_psz_out; else diff --git a/src/rufus.rc b/src/rufus.rc index f10f7a8c..84e022c2 100644 --- a/src/rufus.rc +++ b/src/rufus.rc @@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL IDD_DIALOG DIALOGEX 12, 12, 232, 326 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU EXSTYLE WS_EX_ACCEPTFILES -CAPTION "Rufus 4.5.2125" +CAPTION "Rufus 4.5.2126" FONT 9, "Segoe UI Symbol", 400, 0, 0x0 BEGIN LTEXT "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP @@ -397,8 +397,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 4,5,2125,0 - PRODUCTVERSION 4,5,2125,0 + FILEVERSION 4,5,2126,0 + PRODUCTVERSION 4,5,2126,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -416,13 +416,13 @@ BEGIN VALUE "Comments", "https://rufus.ie" VALUE "CompanyName", "Akeo Consulting" VALUE "FileDescription", "Rufus" - VALUE "FileVersion", "4.5.2125" + VALUE "FileVersion", "4.5.2126" VALUE "InternalName", "Rufus" VALUE "LegalCopyright", "� 2011-2024 Pete Batard (GPL v3)" VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html" VALUE "OriginalFilename", "rufus-4.5.exe" VALUE "ProductName", "Rufus" - VALUE "ProductVersion", "4.5.2125" + VALUE "ProductVersion", "4.5.2126" END END BLOCK "VarFileInfo"