mirror of
https://github.com/pbatard/rufus.git
synced 2024-08-14 23:57:05 +00:00
[udf] workaround for udf_fs memory corruption
* issue is due to blind memcopy that may overflow allocated udf_dirent structure if new LBA we read for file entry has different i_alloc_desc or i_extended_attr
This commit is contained in:
Pete Batard
parent
9ba3b885ff
commit
ca437ca5a6
2 changed files with 29 additions and 9 deletions
|
|
@ -61,6 +61,10 @@
|
|||
|
||||
#include <stdio.h>
|
||||
|
||||
#ifndef min
|
||||
#define min(a,b) (((a) < (b)) ? (a) : (b))
|
||||
#endif
|
||||
|
||||
/* These definitions are also to make debugging easy. Note that they
|
||||
have to come *before* #include <cdio/ecma_167.h> which sets
|
||||
#defines for these.
|
||||
|
|
@ -662,14 +666,30 @@ udf_readdir(udf_dirent_t *p_udf_dirent)
|
|||
const unsigned int i_len = p_udf_dirent->fid->i_file_id;
|
||||
uint8_t data[UDF_BLOCKSIZE] = {0};
|
||||
udf_file_entry_t *p_udf_fe = (udf_file_entry_t *) &data;
|
||||
udf_Uint32_t i_alloc_descs = p_udf_dirent->fe.i_alloc_descs;
|
||||
udf_Uint32_t i_extended_attr = p_udf_dirent->fe.i_extended_attr;
|
||||
|
||||
if (DRIVER_OP_SUCCESS != udf_read_sectors(p_udf, p_udf_fe, p_udf->i_part_start
|
||||
+ p_udf_dirent->fid->icb.loc.lba, 1))
|
||||
return NULL;
|
||||
|
||||
/* There is a bug here, as we may use a file entry with i_alloc_descs or i_extended_attr
|
||||
that doesn't match the one we used when allocating the structure. If they are bigger
|
||||
memcpy will result in memory overflow and corruption. Use min() as a workaround. */
|
||||
if ((p_udf_fe->i_alloc_descs != p_udf_dirent->fe.i_alloc_descs)) {
|
||||
cdio_error("MISMATCH! p_udf_dirent = %p: i_alloc_desc %d (new LBA) vs %d (existing)", p_udf_dirent, p_udf_fe->i_alloc_descs, p_udf_dirent->fe.i_alloc_descs);
|
||||
i_alloc_descs = min(p_udf_fe->i_alloc_descs, p_udf_dirent->fe.i_alloc_descs);
|
||||
}
|
||||
if ((p_udf_fe->i_extended_attr != p_udf_dirent->fe.i_extended_attr)) {
|
||||
cdio_error("MISMATCH! p_udf_dirent = %p: i_extended_attr %d (new LBA) vs %d (existing)", p_udf_dirent, p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_extended_attr);
|
||||
i_extended_attr = min(p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_extended_attr);
|
||||
}
|
||||
|
||||
memcpy(&(p_udf_dirent->fe), p_udf_fe,
|
||||
sizeof(udf_file_entry_t) + p_udf_fe->i_alloc_descs
|
||||
+ p_udf_fe->i_extended_attr );
|
||||
sizeof(udf_file_entry_t) + min(p_udf_fe->i_alloc_descs
|
||||
+ p_udf_fe->i_extended_attr, p_udf_dirent->fe.i_alloc_descs + p_udf_dirent->fe.i_extended_attr));
|
||||
p_udf_dirent->fe.i_alloc_descs = i_alloc_descs;
|
||||
p_udf_dirent->fe.i_extended_attr = i_extended_attr;
|
||||
|
||||
if (strlen(p_udf_dirent->psz_name) < i_len)
|
||||
p_udf_dirent->psz_name = (char *)
|
||||
|
|
|
|||
12
src/rufus.rc
12
src/rufus.rc
|
|
@ -33,7 +33,7 @@ LANGUAGE LANG_ENGLISH, SUBLANG_NEUTRAL
|
|||
IDD_DIALOG DIALOGEX 12, 12, 206, 278
|
||||
STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
||||
EXSTYLE WS_EX_APPWINDOW
|
||||
CAPTION "Rufus v1.0.7.129"
|
||||
CAPTION "Rufus v1.0.7.130"
|
||||
FONT 8, "MS Shell Dlg", 400, 0, 0x1
|
||||
BEGIN
|
||||
DEFPUSHBUTTON "Start",IDC_START,94,236,50,14
|
||||
|
|
@ -70,7 +70,7 @@ BEGIN
|
|||
DEFPUSHBUTTON "OK",IDOK,231,175,50,14,WS_GROUP
|
||||
CONTROL "<a href=""http://rufus.akeo.ie"">http://rufus.akeo.ie</a>",IDC_ABOUT_RUFUS_URL,
|
||||
"SysLink",WS_TABSTOP,46,47,114,9
|
||||
LTEXT "Version 1.0.7 (Build 129)",IDC_STATIC,46,19,78,8
|
||||
LTEXT "Version 1.0.7 (Build 130)",IDC_STATIC,46,19,78,8
|
||||
PUSHBUTTON "License...",IDC_ABOUT_LICENSE,46,175,50,14,WS_GROUP
|
||||
EDITTEXT IDC_ABOUT_COPYRIGHTS,46,107,235,63,ES_MULTILINE | ES_READONLY | WS_VSCROLL
|
||||
LTEXT "Report bugs or request enhancements at:",IDC_STATIC,46,66,187,8
|
||||
|
|
@ -208,8 +208,8 @@ END
|
|||
//
|
||||
|
||||
VS_VERSION_INFO VERSIONINFO
|
||||
FILEVERSION 1,0,7,129
|
||||
PRODUCTVERSION 1,0,7,129
|
||||
FILEVERSION 1,0,7,130
|
||||
PRODUCTVERSION 1,0,7,130
|
||||
FILEFLAGSMASK 0x3fL
|
||||
#ifdef _DEBUG
|
||||
FILEFLAGS 0x1L
|
||||
|
|
@ -226,13 +226,13 @@ BEGIN
|
|||
BEGIN
|
||||
VALUE "CompanyName", "akeo.ie"
|
||||
VALUE "FileDescription", "Rufus"
|
||||
VALUE "FileVersion", "1.0.7.129"
|
||||
VALUE "FileVersion", "1.0.7.130"
|
||||
VALUE "InternalName", "Rufus"
|
||||
VALUE "LegalCopyright", "© 2011 Pete Batard (GPL v3)"
|
||||
VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
|
||||
VALUE "OriginalFilename", "rufus.exe"
|
||||
VALUE "ProductName", "Rufus"
|
||||
VALUE "ProductVersion", "1.0.7.129"
|
||||
VALUE "ProductVersion", "1.0.7.130"
|
||||
END
|
||||
END
|
||||
BLOCK "VarFileInfo"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue