[syslinux] fix a crash if the downloaded Syslinux content has been modified

* Some stupid corporate firewalls will return garbage content for ldlinux.bss/ldlinux.sys instead of a 403 (as they really should), which creates an issue with the code written by the Syslinux people, as they forgot to check for potential overflows...
2015-10-28 23:17:55 +00:00 · 2015-10-28 23:17:55 +00:00 · ad68ccfac9
parent c12977a164
commit ad68ccfac9
3 changed files with 13 additions and 8 deletions
--- a/src/rufus.rc
+++ b/src/rufus.rc
@ -32,7 +32,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL

 IDD_DIALOG DIALOGEX 12, 12, 242, 376
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
-CAPTION "Rufus 2.5.799"
+CAPTION "Rufus 2.5.800"
 FONT 8, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
    LTEXT           "Device",IDS_DEVICE_TXT,9,6,200,8
@ -319,8 +319,8 @@ END
 //

 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 2,5,799,0
- PRODUCTVERSION 2,5,799,0
+ FILEVERSION 2,5,800,0
+ PRODUCTVERSION 2,5,800,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -337,13 +337,13 @@ BEGIN
        BEGIN
            VALUE "CompanyName", "Akeo Consulting (http://akeo.ie)"
            VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "2.5.799"
+            VALUE "FileVersion", "2.5.800"
            VALUE "InternalName", "Rufus"
            VALUE "LegalCopyright", "© 2011-2015 Pete Batard (GPL v3)"
            VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
            VALUE "OriginalFilename", "rufus.exe"
            VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "2.5.799"
+            VALUE "ProductVersion", "2.5.800"
        END
    END
    BLOCK "VarFileInfo"
--- a/src/syslinux.c
+++ b/src/syslinux.c
@ -122,7 +122,7 @@ BOOL InstallSyslinux(DWORD drive_index, char drive_letter, int fs_type)
 	sectbuf = malloc(SECTOR_SIZE);
 	if (sectbuf == NULL)
 		goto out;
-	
+
 	/* Initialize the ADV -- this should be smarter */
 	syslinux_reset_adv(syslinux_adv);

@ -262,7 +262,10 @@ BOOL InstallSyslinux(DWORD drive_index, char drive_letter, int fs_type)
 	}

 	/* Patch ldlinux.sys and the boot sector */
-	syslinux_patch(sectors, nsectors, 0, 0, NULL, NULL);
+	if (syslinux_patch(sectors, nsectors, 0, 0, NULL, NULL) < 0) {
+		uprintf("Could not patch Syslinux files");
+		goto out;
+	}

 	/* Rewrite the file */
 	if (SetFilePointer(f_handle, 0, NULL, FILE_BEGIN) != 0 ||
--- a/src/syslinux/libinstaller/syslxmod.c
+++ b/src/syslinux/libinstaller/syslxmod.c
@ -123,9 +123,11 @@ int syslinux_patch(const sector_t *sectp, int nsectors,

    /* Search for LDLINUX_MAGIC to find the patch area */
    for (wp = (const uint32_t _slimg *)boot_image;
-	 get_32_sl(wp) != LDLINUX_MAGIC;
+	 (get_32_sl(wp) != LDLINUX_MAGIC) && (((uintptr_t)wp) < ((uintptr_t)boot_image + boot_image_len));
 	 wp++)
 	;
+    if (((uintptr_t)wp) >= ((uintptr_t)boot_image + boot_image_len))
+	return -1;
    patcharea = (struct patch_area _slimg *)wp;
    epa = slptr(boot_image, &patcharea->epaoffset);