1
1
Fork 0
mirror of https://github.com/pbatard/rufus.git synced 2024-08-14 23:57:05 +00:00

[iso] fix a buffer overflow in iso9660/iso9660_fs.c

* Whereas the length of the buffer allocated for the UTF-8 filename string is
  the same length as the UCS-2 (which means it can store twice as many UTF-8
  bytes as there are characters in the filename), it is still possible for the
  converted UTF-8 string to overflow this buffer if the name contains glyphs
  that use 3 or 4-byte sequences.
* As a result, use strncpy with the actual size of the UTF-8 filename buffer
  (the following bytes are calloc'd to zero so the truncated string will be
  NUL terminated) and produce a warning if the filename is truncated.
* Vulnerability discovered and reported by Mansour Gashasbi (@gashasbi).
This commit is contained in:
Pete Batard 2024-04-09 00:09:21 +02:00
parent 4eda8d9d5c
commit 8a8e418751
No known key found for this signature in database
GPG key ID: 38E0CF5E69EDD671
2 changed files with 10 additions and 7 deletions

View file

@ -865,8 +865,11 @@ _iso9660_recname_to_cstring(const char *src, size_t src_len,
cdio_utf8_t *p_psz_out = NULL; cdio_utf8_t *p_psz_out = NULL;
if (cdio_charset_to_utf8(src, i_inlen, &p_psz_out, "UCS-2BE")) { if (cdio_charset_to_utf8(src, i_inlen, &p_psz_out, "UCS-2BE")) {
if (cpy_result != NULL) if (cpy_result != NULL) {
strcpy(cpy_result, p_psz_out); strncpy(cpy_result, p_psz_out, i_inlen);
if (strlen(p_psz_out) > i_inlen)
cdio_warn("file name '%s' will be truncated", p_psz_out);
}
if (alloc_result != NULL) if (alloc_result != NULL)
*alloc_result = p_psz_out; *alloc_result = p_psz_out;
else else

View file

@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
IDD_DIALOG DIALOGEX 12, 12, 232, 326 IDD_DIALOG DIALOGEX 12, 12, 232, 326
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_ACCEPTFILES EXSTYLE WS_EX_ACCEPTFILES
CAPTION "Rufus 4.5.2125" CAPTION "Rufus 4.5.2126"
FONT 9, "Segoe UI Symbol", 400, 0, 0x0 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
BEGIN BEGIN
LTEXT "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP LTEXT "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@ -397,8 +397,8 @@ END
// //
VS_VERSION_INFO VERSIONINFO VS_VERSION_INFO VERSIONINFO
FILEVERSION 4,5,2125,0 FILEVERSION 4,5,2126,0
PRODUCTVERSION 4,5,2125,0 PRODUCTVERSION 4,5,2126,0
FILEFLAGSMASK 0x3fL FILEFLAGSMASK 0x3fL
#ifdef _DEBUG #ifdef _DEBUG
FILEFLAGS 0x1L FILEFLAGS 0x1L
@ -416,13 +416,13 @@ BEGIN
VALUE "Comments", "https://rufus.ie" VALUE "Comments", "https://rufus.ie"
VALUE "CompanyName", "Akeo Consulting" VALUE "CompanyName", "Akeo Consulting"
VALUE "FileDescription", "Rufus" VALUE "FileDescription", "Rufus"
VALUE "FileVersion", "4.5.2125" VALUE "FileVersion", "4.5.2126"
VALUE "InternalName", "Rufus" VALUE "InternalName", "Rufus"
VALUE "LegalCopyright", "<22> 2011-2024 Pete Batard (GPL v3)" VALUE "LegalCopyright", "<22> 2011-2024 Pete Batard (GPL v3)"
VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html" VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
VALUE "OriginalFilename", "rufus-4.5.exe" VALUE "OriginalFilename", "rufus-4.5.exe"
VALUE "ProductName", "Rufus" VALUE "ProductName", "Rufus"
VALUE "ProductVersion", "4.5.2125" VALUE "ProductVersion", "4.5.2126"
END END
END END
BLOCK "VarFileInfo" BLOCK "VarFileInfo"