[udf] workaround for udf_fs memory corruption

* issue is due to blind memcopy that may overflow allocated udf_dirent structure if new LBA we read for file entry has different i_alloc_desc or i_extended_attr
2012-01-16 12:03:02 +00:00 · 2012-01-16 12:03:02 +00:00 · ca437ca5a6
parent 9ba3b885ff
commit ca437ca5a6
2 changed files with 29 additions and 9 deletions
--- a/src/libcdio/udf/udf_fs.c
+++ b/src/libcdio/udf/udf_fs.c
@ -61,6 +61,10 @@

 #include <stdio.h>

+#ifndef min
+#define min(a,b) (((a) < (b)) ? (a) : (b))
+#endif
+
 /* These definitions are also to make debugging easy. Note that they
   have to come *before* #include <cdio/ecma_167.h> which sets 
   #defines for these.
@ -662,14 +666,30 @@ udf_readdir(udf_dirent_t *p_udf_dirent)
 	const unsigned int i_len = p_udf_dirent->fid->i_file_id;
 	uint8_t data[UDF_BLOCKSIZE] = {0};
 	udf_file_entry_t *p_udf_fe = (udf_file_entry_t *) &data;
+	udf_Uint32_t i_alloc_descs = p_udf_dirent->fe.i_alloc_descs;
+	udf_Uint32_t i_extended_attr = p_udf_dirent->fe.i_extended_attr;

 	if (DRIVER_OP_SUCCESS != udf_read_sectors(p_udf, p_udf_fe, p_udf->i_part_start 
 			 + p_udf_dirent->fid->icb.loc.lba, 1))
 		return NULL;
-      
+
+/* There is a bug here, as we may use a file entry with i_alloc_descs or i_extended_attr
+   that doesn't match the one we used when allocating the structure. If they are bigger
+   memcpy will result in memory overflow and corruption. Use min() as a workaround. */
+if ((p_udf_fe->i_alloc_descs != p_udf_dirent->fe.i_alloc_descs)) {
+	cdio_error("MISMATCH! p_udf_dirent = %p: i_alloc_desc %d (new LBA) vs %d (existing)", p_udf_dirent, p_udf_fe->i_alloc_descs, p_udf_dirent->fe.i_alloc_descs);
+	i_alloc_descs = min(p_udf_fe->i_alloc_descs, p_udf_dirent->fe.i_alloc_descs);
+}
+if ((p_udf_fe->i_extended_attr != p_udf_dirent->fe.i_extended_attr)) {
+	cdio_error("MISMATCH! p_udf_dirent = %p: i_extended_attr %d (new LBA) vs %d (existing)", p_udf_dirent, p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_extended_attr);
+	i_extended_attr = min(p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_extended_attr);
+}
+
 	memcpy(&(p_udf_dirent->fe), p_udf_fe, 
-	       sizeof(udf_file_entry_t) + p_udf_fe->i_alloc_descs 
-	       + p_udf_fe->i_extended_attr );
+	       sizeof(udf_file_entry_t) + min(p_udf_fe->i_alloc_descs 
+	       + p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_alloc_descs + p_udf_dirent->fe.i_extended_attr));
+	p_udf_dirent->fe.i_alloc_descs = i_alloc_descs;
+	p_udf_dirent->fe.i_extended_attr = i_extended_attr;

 	if (strlen(p_udf_dirent->psz_name) < i_len) 
 	  p_udf_dirent->psz_name = (char *)
--- a/src/rufus.rc
+++ b/src/rufus.rc
@ -33,7 +33,7 @@ LANGUAGE LANG_ENGLISH, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 206, 278
 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_APPWINDOW
-CAPTION "Rufus v1.0.7.129"
+CAPTION "Rufus v1.0.7.130"
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
    DEFPUSHBUTTON   "Start",IDC_START,94,236,50,14
@ -70,7 +70,7 @@ BEGIN
    DEFPUSHBUTTON   "OK",IDOK,231,175,50,14,WS_GROUP
    CONTROL         "<a href=""http://rufus.akeo.ie"">http://rufus.akeo.ie</a>",IDC_ABOUT_RUFUS_URL,
                    "SysLink",WS_TABSTOP,46,47,114,9
-    LTEXT           "Version 1.0.7 (Build 129)",IDC_STATIC,46,19,78,8
+    LTEXT           "Version 1.0.7 (Build 130)",IDC_STATIC,46,19,78,8
    PUSHBUTTON      "License...",IDC_ABOUT_LICENSE,46,175,50,14,WS_GROUP
    EDITTEXT        IDC_ABOUT_COPYRIGHTS,46,107,235,63,ES_MULTILINE | ES_READONLY | WS_VSCROLL
    LTEXT           "Report bugs or request enhancements at:",IDC_STATIC,46,66,187,8
@ -208,8 +208,8 @@ END
 //

 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,0,7,129
- PRODUCTVERSION 1,0,7,129
+ FILEVERSION 1,0,7,130
+ PRODUCTVERSION 1,0,7,130
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -226,13 +226,13 @@ BEGIN
        BEGIN
            VALUE "CompanyName", "akeo.ie"
            VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "1.0.7.129"
+            VALUE "FileVersion", "1.0.7.130"
            VALUE "InternalName", "Rufus"
            VALUE "LegalCopyright", "© 2011 Pete Batard (GPL v3)"
            VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
            VALUE "OriginalFilename", "rufus.exe"
            VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "1.0.7.129"
+            VALUE "ProductVersion", "1.0.7.130"
        END
    END
    BLOCK "VarFileInfo"