mirror of
https://github.com/pbatard/rufus.git
synced 2024-08-14 23:57:05 +00:00
[misc] fix a buffer overflow issue in RunCommand
* The size in CreatePipe is a suggested size, not an absolute one. * As a result, we could overflow our fixed size buffer.
This commit is contained in:
Pete Batard
parent
8b880a7d31
commit
d2576a9f5e
2 changed files with 22 additions and 18 deletions
16
src/rufus.rc
16
src/rufus.rc
|
|
@ -32,7 +32,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
|
|||
|
||||
IDD_DIALOG DIALOGEX 12, 12, 242, 376
|
||||
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
||||
CAPTION "Rufus 2.3.681"
|
||||
CAPTION "Rufus 2.3.682"
|
||||
FONT 8, "Segoe UI", 400, 0, 0x1
|
||||
BEGIN
|
||||
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
||||
|
|
@ -157,7 +157,7 @@ END
|
|||
|
||||
IDD_DIALOG_XP DIALOGEX 12, 12, 242, 376
|
||||
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
||||
CAPTION "Rufus 2.3.681"
|
||||
CAPTION "Rufus 2.3.682"
|
||||
FONT 8, "MS Shell Dlg", 400, 0, 0x1
|
||||
BEGIN
|
||||
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
||||
|
|
@ -283,7 +283,7 @@ END
|
|||
IDD_DIALOG_RTL DIALOGEX 12, 12, 242, 376
|
||||
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
||||
EXSTYLE WS_EX_RTLREADING | WS_EX_APPWINDOW | WS_EX_LAYOUTRTL
|
||||
CAPTION "Rufus 2.3.681"
|
||||
CAPTION "Rufus 2.3.682"
|
||||
FONT 8, "Segoe UI", 400, 0, 0x1
|
||||
BEGIN
|
||||
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
||||
|
|
@ -415,7 +415,7 @@ END
|
|||
IDD_DIALOG_RTL_XP DIALOGEX 12, 12, 242, 376
|
||||
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
|
||||
EXSTYLE WS_EX_RTLREADING | WS_EX_APPWINDOW | WS_EX_LAYOUTRTL
|
||||
CAPTION "Rufus 2.3.681"
|
||||
CAPTION "Rufus 2.3.682"
|
||||
FONT 8, "MS Shell Dlg", 400, 0, 0x1
|
||||
BEGIN
|
||||
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
|
||||
|
|
@ -671,8 +671,8 @@ END
|
|||
//
|
||||
|
||||
VS_VERSION_INFO VERSIONINFO
|
||||
FILEVERSION 2,3,681,0
|
||||
PRODUCTVERSION 2,3,681,0
|
||||
FILEVERSION 2,3,682,0
|
||||
PRODUCTVERSION 2,3,682,0
|
||||
FILEFLAGSMASK 0x3fL
|
||||
#ifdef _DEBUG
|
||||
FILEFLAGS 0x1L
|
||||
|
|
@ -689,13 +689,13 @@ BEGIN
|
|||
BEGIN
|
||||
VALUE "CompanyName", "Akeo Consulting (http://akeo.ie)"
|
||||
VALUE "FileDescription", "Rufus"
|
||||
VALUE "FileVersion", "2.3.681"
|
||||
VALUE "FileVersion", "2.3.682"
|
||||
VALUE "InternalName", "Rufus"
|
||||
VALUE "LegalCopyright", "© 2011-2015 Pete Batard (GPL v3)"
|
||||
VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
|
||||
VALUE "OriginalFilename", "rufus.exe"
|
||||
VALUE "ProductName", "Rufus"
|
||||
VALUE "ProductVersion", "2.3.681"
|
||||
VALUE "ProductVersion", "2.3.682"
|
||||
END
|
||||
END
|
||||
BLOCK "VarFileInfo"
|
||||
|
|
|
|||
18
src/stdfn.c
18
src/stdfn.c
|
|
@ -535,16 +535,18 @@ DWORD GetResourceSize(HMODULE module, char* name, char* type, const char* desc)
|
|||
// Run a console command, with optional redirection of stdout and stderr to our log
|
||||
DWORD RunCommand(const char* cmd, const char* dir, BOOL log)
|
||||
{
|
||||
DWORD ret, dwRead, dwAvail, dwMsg;
|
||||
DWORD ret, dwRead, dwAvail, dwPipeSize = 4096;
|
||||
STARTUPINFOA si = {0};
|
||||
PROCESS_INFORMATION pi = {0};
|
||||
HANDLE hOutputRead = INVALID_HANDLE_VALUE, hOutputWrite = INVALID_HANDLE_VALUE;
|
||||
HANDLE hDupOutputWrite = INVALID_HANDLE_VALUE;
|
||||
char output[1024];
|
||||
static char* output;
|
||||
|
||||
si.cb = sizeof(si);
|
||||
if (log) {
|
||||
if (!CreatePipe(&hOutputRead, &hOutputWrite, NULL, sizeof(output)-1)) {
|
||||
// NB: The size of a pipe is a suggestion, NOT an absolute gaurantee
|
||||
// This means that you may get a pipe of 4K even if you requested 1K
|
||||
if (!CreatePipe(&hOutputRead, &hOutputWrite, NULL, dwPipeSize)) {
|
||||
ret = GetLastError();
|
||||
uprintf("Could not set commandline pipe: %s", WindowsErrorString());
|
||||
goto out;
|
||||
|
|
@ -568,14 +570,16 @@ DWORD RunCommand(const char* cmd, const char* dir, BOOL log)
|
|||
if (log) {
|
||||
while (1) {
|
||||
// coverity[string_null]
|
||||
if (PeekNamedPipe(hOutputRead, output, sizeof(output)-1, &dwRead, &dwAvail, &dwMsg)) {
|
||||
// Don't care about possible multiple reads being needed
|
||||
if ((dwAvail != 0) && (ReadFile(hOutputRead, output, dwAvail, &dwRead, NULL)) && (dwRead != 0)) {
|
||||
// This seems to be needed. Won't overflow since we set our max sizes to sizeof(output)-1
|
||||
if (PeekNamedPipe(hOutputRead, NULL, dwPipeSize, NULL, &dwAvail, NULL)) {
|
||||
if (dwAvail != 0) {
|
||||
output = malloc(dwAvail + 1);
|
||||
if ((output != NULL) && (ReadFile(hOutputRead, output, dwAvail, &dwRead, NULL)) && (dwRead != 0)) {
|
||||
output[dwAvail] = 0;
|
||||
// coverity[tainted_string]
|
||||
uprintf(output);
|
||||
}
|
||||
free(output);
|
||||
}
|
||||
}
|
||||
if (WaitForSingleObject(pi.hProcess, 0) == WAIT_OBJECT_0)
|
||||
break;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue