From ca437ca5a6ba2847d03a855952f92c5b81386f90 Mon Sep 17 00:00:00 2001 From: Pete Batard Date: Mon, 16 Jan 2012 12:03:02 +0000 Subject: [PATCH] [udf] workaround for udf_fs memory corruption * issue is due to blind memcopy that may overflow allocated udf_dirent structure if new LBA we read for file entry has different i_alloc_desc or i_extended_attr --- src/libcdio/udf/udf_fs.c | 26 +++++++++++++++++++++++--- src/rufus.rc | 12 ++++++------ 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/libcdio/udf/udf_fs.c b/src/libcdio/udf/udf_fs.c index 02bf4c8a..f44e4275 100644 --- a/src/libcdio/udf/udf_fs.c +++ b/src/libcdio/udf/udf_fs.c @@ -61,6 +61,10 @@ #include +#ifndef min +#define min(a,b) (((a) < (b)) ? (a) : (b)) +#endif + /* These definitions are also to make debugging easy. Note that they have to come *before* #include which sets #defines for these. @@ -662,14 +666,30 @@ udf_readdir(udf_dirent_t *p_udf_dirent) const unsigned int i_len = p_udf_dirent->fid->i_file_id; uint8_t data[UDF_BLOCKSIZE] = {0}; udf_file_entry_t *p_udf_fe = (udf_file_entry_t *) &data; + udf_Uint32_t i_alloc_descs = p_udf_dirent->fe.i_alloc_descs; + udf_Uint32_t i_extended_attr = p_udf_dirent->fe.i_extended_attr; if (DRIVER_OP_SUCCESS != udf_read_sectors(p_udf, p_udf_fe, p_udf->i_part_start + p_udf_dirent->fid->icb.loc.lba, 1)) return NULL; - + +/* There is a bug here, as we may use a file entry with i_alloc_descs or i_extended_attr + that doesn't match the one we used when allocating the structure. If they are bigger + memcpy will result in memory overflow and corruption. Use min() as a workaround. */ +if ((p_udf_fe->i_alloc_descs != p_udf_dirent->fe.i_alloc_descs)) { + cdio_error("MISMATCH! p_udf_dirent = %p: i_alloc_desc %d (new LBA) vs %d (existing)", p_udf_dirent, p_udf_fe->i_alloc_descs, p_udf_dirent->fe.i_alloc_descs); + i_alloc_descs = min(p_udf_fe->i_alloc_descs, p_udf_dirent->fe.i_alloc_descs); +} +if ((p_udf_fe->i_extended_attr != p_udf_dirent->fe.i_extended_attr)) { + cdio_error("MISMATCH! p_udf_dirent = %p: i_extended_attr %d (new LBA) vs %d (existing)", p_udf_dirent, p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_extended_attr); + i_extended_attr = min(p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_extended_attr); +} + memcpy(&(p_udf_dirent->fe), p_udf_fe, - sizeof(udf_file_entry_t) + p_udf_fe->i_alloc_descs - + p_udf_fe->i_extended_attr ); + sizeof(udf_file_entry_t) + min(p_udf_fe->i_alloc_descs + + p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_alloc_descs + p_udf_dirent->fe.i_extended_attr)); + p_udf_dirent->fe.i_alloc_descs = i_alloc_descs; + p_udf_dirent->fe.i_extended_attr = i_extended_attr; if (strlen(p_udf_dirent->psz_name) < i_len) p_udf_dirent->psz_name = (char *) diff --git a/src/rufus.rc b/src/rufus.rc index 6bd30949..26a24906 100644 --- a/src/rufus.rc +++ b/src/rufus.rc @@ -33,7 +33,7 @@ LANGUAGE LANG_ENGLISH, SUBLANG_NEUTRAL IDD_DIALOG DIALOGEX 12, 12, 206, 278 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU EXSTYLE WS_EX_APPWINDOW -CAPTION "Rufus v1.0.7.129" +CAPTION "Rufus v1.0.7.130" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN DEFPUSHBUTTON "Start",IDC_START,94,236,50,14 @@ -70,7 +70,7 @@ BEGIN DEFPUSHBUTTON "OK",IDOK,231,175,50,14,WS_GROUP CONTROL "http://rufus.akeo.ie",IDC_ABOUT_RUFUS_URL, "SysLink",WS_TABSTOP,46,47,114,9 - LTEXT "Version 1.0.7 (Build 129)",IDC_STATIC,46,19,78,8 + LTEXT "Version 1.0.7 (Build 130)",IDC_STATIC,46,19,78,8 PUSHBUTTON "License...",IDC_ABOUT_LICENSE,46,175,50,14,WS_GROUP EDITTEXT IDC_ABOUT_COPYRIGHTS,46,107,235,63,ES_MULTILINE | ES_READONLY | WS_VSCROLL LTEXT "Report bugs or request enhancements at:",IDC_STATIC,46,66,187,8 @@ -208,8 +208,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,0,7,129 - PRODUCTVERSION 1,0,7,129 + FILEVERSION 1,0,7,130 + PRODUCTVERSION 1,0,7,130 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -226,13 +226,13 @@ BEGIN BEGIN VALUE "CompanyName", "akeo.ie" VALUE "FileDescription", "Rufus" - VALUE "FileVersion", "1.0.7.129" + VALUE "FileVersion", "1.0.7.130" VALUE "InternalName", "Rufus" VALUE "LegalCopyright", "© 2011 Pete Batard (GPL v3)" VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html" VALUE "OriginalFilename", "rufus.exe" VALUE "ProductName", "Rufus" - VALUE "ProductVersion", "1.0.7.129" + VALUE "ProductVersion", "1.0.7.130" END END BLOCK "VarFileInfo"