nerd/rufus
1
1
Fork 0
mirror of https://github.com/pbatard/rufus.git synced 2024-08-14 23:57:05 +00:00
Code Issues 1 Projects Releases Wiki Activity

[udf] workaround for udf_fs memory corruption

Browse source 
* issue is due to blind memcopy that may overflow allocated udf_dirent
  structure if new LBA we read for file entry has different i_alloc_desc
  or i_extended_attr
This commit is contained in:
Pete Batard 2012-01-16 12:03:02 +00:00
parent 9ba3b885ff
commit ca437ca5a6
2 changed files with 29 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/libcdio/udf/udf_fs.c
View file

@ -61,6 +61,10 @@
#include <stdio.h> #include <stdio.h>
#ifndef min
#define min(a,b) (((a) < (b)) ? (a) : (b))
#endif
/* These definitions are also to make debugging easy. Note that they /* These definitions are also to make debugging easy. Note that they
have to come *before* #include <cdio/ecma_167.h> which sets have to come *before* #include <cdio/ecma_167.h> which sets
#defines for these. #defines for these.
@ -662,14 +666,30 @@ udf_readdir(udf_dirent_t *p_udf_dirent)
const unsigned int i_len = p_udf_dirent->fid->i_file_id; const unsigned int i_len = p_udf_dirent->fid->i_file_id;
uint8_t data[UDF_BLOCKSIZE] = {0}; uint8_t data[UDF_BLOCKSIZE] = {0};
udf_file_entry_t *p_udf_fe = (udf_file_entry_t *) &data; udf_file_entry_t *p_udf_fe = (udf_file_entry_t *) &data;
udf_Uint32_t i_alloc_descs = p_udf_dirent->fe.i_alloc_descs;
udf_Uint32_t i_extended_attr = p_udf_dirent->fe.i_extended_attr;
if (DRIVER_OP_SUCCESS != udf_read_sectors(p_udf, p_udf_fe, p_udf->i_part_start if (DRIVER_OP_SUCCESS != udf_read_sectors(p_udf, p_udf_fe, p_udf->i_part_start
+ p_udf_dirent->fid->icb.loc.lba, 1)) + p_udf_dirent->fid->icb.loc.lba, 1))
return NULL; return NULL;
/* There is a bug here, as we may use a file entry with i_alloc_descs or i_extended_attr
that doesn't match the one we used when allocating the structure. If they are bigger
memcpy will result in memory overflow and corruption. Use min() as a workaround. */
if ((p_udf_fe->i_alloc_descs != p_udf_dirent->fe.i_alloc_descs)) {
cdio_error("MISMATCH! p_udf_dirent = %p: i_alloc_desc %d (new LBA) vs %d (existing)", p_udf_dirent, p_udf_fe->i_alloc_descs, p_udf_dirent->fe.i_alloc_descs);
i_alloc_descs = min(p_udf_fe->i_alloc_descs, p_udf_dirent->fe.i_alloc_descs);
}
if ((p_udf_fe->i_extended_attr != p_udf_dirent->fe.i_extended_attr)) {
cdio_error("MISMATCH! p_udf_dirent = %p: i_extended_attr %d (new LBA) vs %d (existing)", p_udf_dirent, p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_extended_attr);
i_extended_attr = min(p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_extended_attr);
}
memcpy(&(p_udf_dirent->fe), p_udf_fe, memcpy(&(p_udf_dirent->fe), p_udf_fe,
sizeof(udf_file_entry_t) + p_udf_fe->i_alloc_descs sizeof(udf_file_entry_t) + min(p_udf_fe->i_alloc_descs
+ p_udf_fe->i_extended_attr ); + p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_alloc_descs + p_udf_dirent->fe.i_extended_attr));
p_udf_dirent->fe.i_alloc_descs = i_alloc_descs;
p_udf_dirent->fe.i_extended_attr = i_extended_attr;
if (strlen(p_udf_dirent->psz_name) < i_len) if (strlen(p_udf_dirent->psz_name) < i_len)
p_udf_dirent->psz_name = (char *) p_udf_dirent->psz_name = (char *)

12
src/rufus.rc
View file

@ -33,7 +33,7 @@ LANGUAGE LANG_ENGLISH, SUBLANG_NEUTRAL
IDD_DIALOG DIALOGEX 12, 12, 206, 278 IDD_DIALOG DIALOGEX 12, 12, 206, 278
STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_APPWINDOW EXSTYLE WS_EX_APPWINDOW
CAPTION "Rufus v1.0.7.129" CAPTION "Rufus v1.0.7.130"
FONT 8, "MS Shell Dlg", 400, 0, 0x1 FONT 8, "MS Shell Dlg", 400, 0, 0x1
BEGIN BEGIN
DEFPUSHBUTTON "Start",IDC_START,94,236,50,14 DEFPUSHBUTTON "Start",IDC_START,94,236,50,14
@ -70,7 +70,7 @@ BEGIN
DEFPUSHBUTTON "OK",IDOK,231,175,50,14,WS_GROUP DEFPUSHBUTTON "OK",IDOK,231,175,50,14,WS_GROUP
CONTROL "<a href=""http://rufus.akeo.ie"">http://rufus.akeo.ie</a>",IDC_ABOUT_RUFUS_URL, CONTROL "<a href=""http://rufus.akeo.ie"">http://rufus.akeo.ie</a>",IDC_ABOUT_RUFUS_URL,
"SysLink",WS_TABSTOP,46,47,114,9 "SysLink",WS_TABSTOP,46,47,114,9
LTEXT "Version 1.0.7 (Build 129)",IDC_STATIC,46,19,78,8 LTEXT "Version 1.0.7 (Build 130)",IDC_STATIC,46,19,78,8
PUSHBUTTON "License...",IDC_ABOUT_LICENSE,46,175,50,14,WS_GROUP PUSHBUTTON "License...",IDC_ABOUT_LICENSE,46,175,50,14,WS_GROUP
EDITTEXT IDC_ABOUT_COPYRIGHTS,46,107,235,63,ES_MULTILINE | ES_READONLY | WS_VSCROLL EDITTEXT IDC_ABOUT_COPYRIGHTS,46,107,235,63,ES_MULTILINE | ES_READONLY | WS_VSCROLL
LTEXT "Report bugs or request enhancements at:",IDC_STATIC,46,66,187,8 LTEXT "Report bugs or request enhancements at:",IDC_STATIC,46,66,187,8
@ -208,8 +208,8 @@ END
// //
VS_VERSION_INFO VERSIONINFO VS_VERSION_INFO VERSIONINFO
FILEVERSION 1,0,7,129 FILEVERSION 1,0,7,130
PRODUCTVERSION 1,0,7,129 PRODUCTVERSION 1,0,7,130
FILEFLAGSMASK 0x3fL FILEFLAGSMASK 0x3fL
#ifdef _DEBUG #ifdef _DEBUG
FILEFLAGS 0x1L FILEFLAGS 0x1L
@ -226,13 +226,13 @@ BEGIN
BEGIN BEGIN
VALUE "CompanyName", "akeo.ie" VALUE "CompanyName", "akeo.ie"
VALUE "FileDescription", "Rufus" VALUE "FileDescription", "Rufus"
VALUE "FileVersion", "1.0.7.129" VALUE "FileVersion", "1.0.7.130"
VALUE "InternalName", "Rufus" VALUE "InternalName", "Rufus"
VALUE "LegalCopyright", "© 2011 Pete Batard (GPL v3)" VALUE "LegalCopyright", "© 2011 Pete Batard (GPL v3)"
VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html" VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
VALUE "OriginalFilename", "rufus.exe" VALUE "OriginalFilename", "rufus.exe"
VALUE "ProductName", "Rufus" VALUE "ProductName", "Rufus"
VALUE "ProductVersion", "1.0.7.129" VALUE "ProductVersion", "1.0.7.130"
END END
END END
BLOCK "VarFileInfo" BLOCK "VarFileInfo"