nerd/rufus
1
1
Fork 0
mirror of https://github.com/pbatard/rufus.git synced 2024-08-14 23:57:05 +00:00
Code Issues 1 Projects Releases Wiki Activity

[misc] fix a buffer overflow issue in RunCommand

Browse source 
* The size in CreatePipe is a suggested size, not an absolute one.
* As a result, we could overflow our fixed size buffer.
This commit is contained in:
Pete Batard 2015-06-25 19:51:42 +01:00
parent 8b880a7d31
commit d2576a9f5e
2 changed files with 22 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/rufus.rc
View file

@ -32,7 +32,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
IDD_DIALOG DIALOGEX 12, 12, 242, 376 IDD_DIALOG DIALOGEX 12, 12, 242, 376
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "Rufus 2.3.681" CAPTION "Rufus 2.3.682"
FONT 8, "Segoe UI", 400, 0, 0x1 FONT 8, "Segoe UI", 400, 0, 0x1
BEGIN BEGIN
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8 LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
@ -157,7 +157,7 @@ END
IDD_DIALOG_XP DIALOGEX 12, 12, 242, 376 IDD_DIALOG_XP DIALOGEX 12, 12, 242, 376
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "Rufus 2.3.681" CAPTION "Rufus 2.3.682"
FONT 8, "MS Shell Dlg", 400, 0, 0x1 FONT 8, "MS Shell Dlg", 400, 0, 0x1
BEGIN BEGIN
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8 LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
@ -283,7 +283,7 @@ END
IDD_DIALOG_RTL DIALOGEX 12, 12, 242, 376 IDD_DIALOG_RTL DIALOGEX 12, 12, 242, 376
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_RTLREADING | WS_EX_APPWINDOW | WS_EX_LAYOUTRTL EXSTYLE WS_EX_RTLREADING | WS_EX_APPWINDOW | WS_EX_LAYOUTRTL
CAPTION "Rufus 2.3.681" CAPTION "Rufus 2.3.682"
FONT 8, "Segoe UI", 400, 0, 0x1 FONT 8, "Segoe UI", 400, 0, 0x1
BEGIN BEGIN
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8 LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
@ -415,7 +415,7 @@ END
IDD_DIALOG_RTL_XP DIALOGEX 12, 12, 242, 376 IDD_DIALOG_RTL_XP DIALOGEX 12, 12, 242, 376
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_RTLREADING | WS_EX_APPWINDOW | WS_EX_LAYOUTRTL EXSTYLE WS_EX_RTLREADING | WS_EX_APPWINDOW | WS_EX_LAYOUTRTL
CAPTION "Rufus 2.3.681" CAPTION "Rufus 2.3.682"
FONT 8, "MS Shell Dlg", 400, 0, 0x1 FONT 8, "MS Shell Dlg", 400, 0, 0x1
BEGIN BEGIN
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8 LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
@ -671,8 +671,8 @@ END
// //
VS_VERSION_INFO VERSIONINFO VS_VERSION_INFO VERSIONINFO
FILEVERSION 2,3,681,0 FILEVERSION 2,3,682,0
PRODUCTVERSION 2,3,681,0 PRODUCTVERSION 2,3,682,0
FILEFLAGSMASK 0x3fL FILEFLAGSMASK 0x3fL
#ifdef _DEBUG #ifdef _DEBUG
FILEFLAGS 0x1L FILEFLAGS 0x1L
@ -689,13 +689,13 @@ BEGIN
BEGIN BEGIN
VALUE "CompanyName", "Akeo Consulting (http://akeo.ie)" VALUE "CompanyName", "Akeo Consulting (http://akeo.ie)"
VALUE "FileDescription", "Rufus" VALUE "FileDescription", "Rufus"
VALUE "FileVersion", "2.3.681" VALUE "FileVersion", "2.3.682"
VALUE "InternalName", "Rufus" VALUE "InternalName", "Rufus"
VALUE "LegalCopyright", "© 2011-2015 Pete Batard (GPL v3)" VALUE "LegalCopyright", "© 2011-2015 Pete Batard (GPL v3)"
VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html" VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
VALUE "OriginalFilename", "rufus.exe" VALUE "OriginalFilename", "rufus.exe"
VALUE "ProductName", "Rufus" VALUE "ProductName", "Rufus"
VALUE "ProductVersion", "2.3.681" VALUE "ProductVersion", "2.3.682"
END END
END END
BLOCK "VarFileInfo" BLOCK "VarFileInfo"

24
src/stdfn.c
View file

@ -535,16 +535,18 @@ DWORD GetResourceSize(HMODULE module, char* name, char* type, const char* desc)
// Run a console command, with optional redirection of stdout and stderr to our log // Run a console command, with optional redirection of stdout and stderr to our log
DWORD RunCommand(const char* cmd, const char* dir, BOOL log) DWORD RunCommand(const char* cmd, const char* dir, BOOL log)
{ {
DWORD ret, dwRead, dwAvail, dwMsg; DWORD ret, dwRead, dwAvail, dwPipeSize = 4096;
STARTUPINFOA si = {0}; STARTUPINFOA si = {0};
PROCESS_INFORMATION pi = {0}; PROCESS_INFORMATION pi = {0};
HANDLE hOutputRead = INVALID_HANDLE_VALUE, hOutputWrite = INVALID_HANDLE_VALUE; HANDLE hOutputRead = INVALID_HANDLE_VALUE, hOutputWrite = INVALID_HANDLE_VALUE;
HANDLE hDupOutputWrite = INVALID_HANDLE_VALUE; HANDLE hDupOutputWrite = INVALID_HANDLE_VALUE;
char output[1024]; static char* output;
si.cb = sizeof(si); si.cb = sizeof(si);
if (log) { if (log) {
if (!CreatePipe(&hOutputRead, &hOutputWrite, NULL, sizeof(output)-1)) { // NB: The size of a pipe is a suggestion, NOT an absolute gaurantee
// This means that you may get a pipe of 4K even if you requested 1K
if (!CreatePipe(&hOutputRead, &hOutputWrite, NULL, dwPipeSize)) {
ret = GetLastError(); ret = GetLastError();
uprintf("Could not set commandline pipe: %s", WindowsErrorString()); uprintf("Could not set commandline pipe: %s", WindowsErrorString());
goto out; goto out;
@ -568,13 +570,15 @@ DWORD RunCommand(const char* cmd, const char* dir, BOOL log)
if (log) { if (log) {
while (1) { while (1) {
// coverity[string_null] // coverity[string_null]
if (PeekNamedPipe(hOutputRead, output, sizeof(output)-1, &dwRead, &dwAvail, &dwMsg)) { if (PeekNamedPipe(hOutputRead, NULL, dwPipeSize, NULL, &dwAvail, NULL)) {
// Don't care about possible multiple reads being needed if (dwAvail != 0) {
if ((dwAvail != 0) && (ReadFile(hOutputRead, output, dwAvail, &dwRead, NULL)) && (dwRead != 0)) { output = malloc(dwAvail + 1);
// This seems to be needed. Won't overflow since we set our max sizes to sizeof(output)-1 if ((output != NULL) && (ReadFile(hOutputRead, output, dwAvail, &dwRead, NULL)) && (dwRead != 0)) {
output[dwAvail] = 0; output[dwAvail] = 0;
// coverity[tainted_string] // coverity[tainted_string]
uprintf(output); uprintf(output);
}
free(output);
} }
} }
if (WaitForSingleObject(pi.hProcess, 0) == WAIT_OBJECT_0) if (WaitForSingleObject(pi.hProcess, 0) == WAIT_OBJECT_0)