From ad68ccfac99d62ccd19b47f123614b30f3c09965 Mon Sep 17 00:00:00 2001 From: Pete Batard Date: Wed, 28 Oct 2015 23:17:55 +0000 Subject: [PATCH] [syslinux] fix a crash if the downloaded Syslinux content has been modified * Some stupid corporate firewalls will return garbage content for ldlinux.bss/ldlinux.sys instead of a 403 (as they really should), which creates an issue with the code written by the Syslinux people, as they forgot to check for potential overflows... --- src/rufus.rc | 10 +++++----- src/syslinux.c | 7 +++++-- src/syslinux/libinstaller/syslxmod.c | 4 +++- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/rufus.rc b/src/rufus.rc index ab984299..145e3815 100644 --- a/src/rufus.rc +++ b/src/rufus.rc @@ -32,7 +32,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL IDD_DIALOG DIALOGEX 12, 12, 242, 376 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Rufus 2.5.799" +CAPTION "Rufus 2.5.800" FONT 8, "Segoe UI Symbol", 400, 0, 0x0 BEGIN LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8 @@ -319,8 +319,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 2,5,799,0 - PRODUCTVERSION 2,5,799,0 + FILEVERSION 2,5,800,0 + PRODUCTVERSION 2,5,800,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -337,13 +337,13 @@ BEGIN BEGIN VALUE "CompanyName", "Akeo Consulting (http://akeo.ie)" VALUE "FileDescription", "Rufus" - VALUE "FileVersion", "2.5.799" + VALUE "FileVersion", "2.5.800" VALUE "InternalName", "Rufus" VALUE "LegalCopyright", "© 2011-2015 Pete Batard (GPL v3)" VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html" VALUE "OriginalFilename", "rufus.exe" VALUE "ProductName", "Rufus" - VALUE "ProductVersion", "2.5.799" + VALUE "ProductVersion", "2.5.800" END END BLOCK "VarFileInfo" diff --git a/src/syslinux.c b/src/syslinux.c index ec1543af..337ee206 100644 --- a/src/syslinux.c +++ b/src/syslinux.c @@ -122,7 +122,7 @@ BOOL InstallSyslinux(DWORD drive_index, char drive_letter, int fs_type) sectbuf = malloc(SECTOR_SIZE); if (sectbuf == NULL) goto out; - + /* Initialize the ADV -- this should be smarter */ syslinux_reset_adv(syslinux_adv); @@ -262,7 +262,10 @@ BOOL InstallSyslinux(DWORD drive_index, char drive_letter, int fs_type) } /* Patch ldlinux.sys and the boot sector */ - syslinux_patch(sectors, nsectors, 0, 0, NULL, NULL); + if (syslinux_patch(sectors, nsectors, 0, 0, NULL, NULL) < 0) { + uprintf("Could not patch Syslinux files"); + goto out; + } /* Rewrite the file */ if (SetFilePointer(f_handle, 0, NULL, FILE_BEGIN) != 0 || diff --git a/src/syslinux/libinstaller/syslxmod.c b/src/syslinux/libinstaller/syslxmod.c index 6ce432f1..88dd490c 100644 --- a/src/syslinux/libinstaller/syslxmod.c +++ b/src/syslinux/libinstaller/syslxmod.c @@ -123,9 +123,11 @@ int syslinux_patch(const sector_t *sectp, int nsectors, /* Search for LDLINUX_MAGIC to find the patch area */ for (wp = (const uint32_t _slimg *)boot_image; - get_32_sl(wp) != LDLINUX_MAGIC; + (get_32_sl(wp) != LDLINUX_MAGIC) && (((uintptr_t)wp) < ((uintptr_t)boot_image + boot_image_len)); wp++) ; + if (((uintptr_t)wp) >= ((uintptr_t)boot_image + boot_image_len)) + return -1; patcharea = (struct patch_area _slimg *)wp; epa = slptr(boot_image, &patcharea->epaoffset);