mirror of
https://github.com/pbatard/rufus.git
synced 2024-08-14 23:57:05 +00:00
[misc] fix a buffer overflow issue in RunCommand
* The size in CreatePipe is a suggested size, not an absolute one. * As a result, we could overflow our fixed size buffer.
This commit is contained in:
Pete Batard
parent
8b880a7d31
commit
d2576a9f5e
2 changed files with 22 additions and 18 deletions
16
src/rufus.rc
16
src/rufus.rc
|
|
@ -32,7 +32,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
|
||||||
|
|
||||||
IDD_DIALOG DIALOGEX 12, 12, 242, 376
|
IDD_DIALOG DIALOGEX 12, 12, 242, 376
|
||||||
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
||||||
CAPTION "Rufus 2.3.681"
|
CAPTION "Rufus 2.3.682"
|
||||||
FONT 8, "Segoe UI", 400, 0, 0x1
|
FONT 8, "Segoe UI", 400, 0, 0x1
|
||||||
BEGIN
|
BEGIN
|
||||||
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
||||||
|
|
@ -157,7 +157,7 @@ END
|
||||||
|
|
||||||
IDD_DIALOG_XP DIALOGEX 12, 12, 242, 376
|
IDD_DIALOG_XP DIALOGEX 12, 12, 242, 376
|
||||||
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
||||||
CAPTION "Rufus 2.3.681"
|
CAPTION "Rufus 2.3.682"
|
||||||
FONT 8, "MS Shell Dlg", 400, 0, 0x1
|
FONT 8, "MS Shell Dlg", 400, 0, 0x1
|
||||||
BEGIN
|
BEGIN
|
||||||
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
||||||
|
|
@ -283,7 +283,7 @@ END
|
||||||
IDD_DIALOG_RTL DIALOGEX 12, 12, 242, 376
|
IDD_DIALOG_RTL DIALOGEX 12, 12, 242, 376
|
||||||
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
||||||
EXSTYLE WS_EX_RTLREADING | WS_EX_APPWINDOW | WS_EX_LAYOUTRTL
|
EXSTYLE WS_EX_RTLREADING | WS_EX_APPWINDOW | WS_EX_LAYOUTRTL
|
||||||
CAPTION "Rufus 2.3.681"
|
CAPTION "Rufus 2.3.682"
|
||||||
FONT 8, "Segoe UI", 400, 0, 0x1
|
FONT 8, "Segoe UI", 400, 0, 0x1
|
||||||
BEGIN
|
BEGIN
|
||||||
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
||||||
|
|
@ -415,7 +415,7 @@ END
|
||||||
IDD_DIALOG_RTL_XP DIALOGEX 12, 12, 242, 376
|
IDD_DIALOG_RTL_XP DIALOGEX 12, 12, 242, 376
|
||||||
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
||||||
EXSTYLE WS_EX_RTLREADING | WS_EX_APPWINDOW | WS_EX_LAYOUTRTL
|
EXSTYLE WS_EX_RTLREADING | WS_EX_APPWINDOW | WS_EX_LAYOUTRTL
|
||||||
CAPTION "Rufus 2.3.681"
|
CAPTION "Rufus 2.3.682"
|
||||||
FONT 8, "MS Shell Dlg", 400, 0, 0x1
|
FONT 8, "MS Shell Dlg", 400, 0, 0x1
|
||||||
BEGIN
|
BEGIN
|
||||||
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
||||||
|
|
@ -671,8 +671,8 @@ END
|
||||||
//
|
//
|
||||||
|
|
||||||
VS_VERSION_INFO VERSIONINFO
|
VS_VERSION_INFO VERSIONINFO
|
||||||
FILEVERSION 2,3,681,0
|
FILEVERSION 2,3,682,0
|
||||||
PRODUCTVERSION 2,3,681,0
|
PRODUCTVERSION 2,3,682,0
|
||||||
FILEFLAGSMASK 0x3fL
|
FILEFLAGSMASK 0x3fL
|
||||||
#ifdef _DEBUG
|
#ifdef _DEBUG
|
||||||
FILEFLAGS 0x1L
|
FILEFLAGS 0x1L
|
||||||
|
|
@ -689,13 +689,13 @@ BEGIN
|
||||||
BEGIN
|
BEGIN
|
||||||
VALUE "CompanyName", "Akeo Consulting (http://akeo.ie)"
|
VALUE "CompanyName", "Akeo Consulting (http://akeo.ie)"
|
||||||
VALUE "FileDescription", "Rufus"
|
VALUE "FileDescription", "Rufus"
|
||||||
VALUE "FileVersion", "2.3.681"
|
VALUE "FileVersion", "2.3.682"
|
||||||
VALUE "InternalName", "Rufus"
|
VALUE "InternalName", "Rufus"
|
||||||
VALUE "LegalCopyright", "© 2011-2015 Pete Batard (GPL v3)"
|
VALUE "LegalCopyright", "© 2011-2015 Pete Batard (GPL v3)"
|
||||||
VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
|
VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
|
||||||
VALUE "OriginalFilename", "rufus.exe"
|
VALUE "OriginalFilename", "rufus.exe"
|
||||||
VALUE "ProductName", "Rufus"
|
VALUE "ProductName", "Rufus"
|
||||||
VALUE "ProductVersion", "2.3.681"
|
VALUE "ProductVersion", "2.3.682"
|
||||||
END
|
END
|
||||||
END
|
END
|
||||||
BLOCK "VarFileInfo"
|
BLOCK "VarFileInfo"
|
||||||
|
|
|
||||||
18
src/stdfn.c
18
src/stdfn.c
|
|
@ -535,16 +535,18 @@ DWORD GetResourceSize(HMODULE module, char* name, char* type, const char* desc)
|
||||||
// Run a console command, with optional redirection of stdout and stderr to our log
|
// Run a console command, with optional redirection of stdout and stderr to our log
|
||||||
DWORD RunCommand(const char* cmd, const char* dir, BOOL log)
|
DWORD RunCommand(const char* cmd, const char* dir, BOOL log)
|
||||||
{
|
{
|
||||||
DWORD ret, dwRead, dwAvail, dwMsg;
|
DWORD ret, dwRead, dwAvail, dwPipeSize = 4096;
|
||||||
STARTUPINFOA si = {0};
|
STARTUPINFOA si = {0};
|
||||||
PROCESS_INFORMATION pi = {0};
|
PROCESS_INFORMATION pi = {0};
|
||||||
HANDLE hOutputRead = INVALID_HANDLE_VALUE, hOutputWrite = INVALID_HANDLE_VALUE;
|
HANDLE hOutputRead = INVALID_HANDLE_VALUE, hOutputWrite = INVALID_HANDLE_VALUE;
|
||||||
HANDLE hDupOutputWrite = INVALID_HANDLE_VALUE;
|
HANDLE hDupOutputWrite = INVALID_HANDLE_VALUE;
|
||||||
char output[1024];
|
static char* output;
|
||||||
|
|
||||||
si.cb = sizeof(si);
|
si.cb = sizeof(si);
|
||||||
if (log) {
|
if (log) {
|
||||||
if (!CreatePipe(&hOutputRead, &hOutputWrite, NULL, sizeof(output)-1)) {
|
// NB: The size of a pipe is a suggestion, NOT an absolute gaurantee
|
||||||
|
// This means that you may get a pipe of 4K even if you requested 1K
|
||||||
|
if (!CreatePipe(&hOutputRead, &hOutputWrite, NULL, dwPipeSize)) {
|
||||||
ret = GetLastError();
|
ret = GetLastError();
|
||||||
uprintf("Could not set commandline pipe: %s", WindowsErrorString());
|
uprintf("Could not set commandline pipe: %s", WindowsErrorString());
|
||||||
goto out;
|
goto out;
|
||||||
|
|
@ -568,14 +570,16 @@ DWORD RunCommand(const char* cmd, const char* dir, BOOL log)
|
||||||
if (log) {
|
if (log) {
|
||||||
while (1) {
|
while (1) {
|
||||||
// coverity[string_null]
|
// coverity[string_null]
|
||||||
if (PeekNamedPipe(hOutputRead, output, sizeof(output)-1, &dwRead, &dwAvail, &dwMsg)) {
|
if (PeekNamedPipe(hOutputRead, NULL, dwPipeSize, NULL, &dwAvail, NULL)) {
|
||||||
// Don't care about possible multiple reads being needed
|
if (dwAvail != 0) {
|
||||||
if ((dwAvail != 0) && (ReadFile(hOutputRead, output, dwAvail, &dwRead, NULL)) && (dwRead != 0)) {
|
output = malloc(dwAvail + 1);
|
||||||
// This seems to be needed. Won't overflow since we set our max sizes to sizeof(output)-1
|
if ((output != NULL) && (ReadFile(hOutputRead, output, dwAvail, &dwRead, NULL)) && (dwRead != 0)) {
|
||||||
output[dwAvail] = 0;
|
output[dwAvail] = 0;
|
||||||
// coverity[tainted_string]
|
// coverity[tainted_string]
|
||||||
uprintf(output);
|
uprintf(output);
|
||||||
}
|
}
|
||||||
|
free(output);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (WaitForSingleObject(pi.hProcess, 0) == WAIT_OBJECT_0)
|
if (WaitForSingleObject(pi.hProcess, 0) == WAIT_OBJECT_0)
|
||||||
break;
|
break;
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue