[misc] fix Coverity warnings

* Also use a new if_not_assert() construct where possible.
2024-08-14 23:57:05 +00:00 · 2024-07-17 14:30:59 +01:00 · 2024-07-17 14:30:59 +01:00 · d5302c0bad
commit d5302c0bad
parent 78608c35fe
24 changed files with 134 additions and 70 deletions
--- a/src/badblocks.c
+++ b/src/badblocks.c
@ -426,6 +426,11 @@ static unsigned int test_rw(HANDLE hDrive, blk64_t last_block, size_t block_size
 		cancel_ops = -1;
 		return 0;
 	}
+	if ((first_block * block_size > 1 * PB) || (last_block * block_size > 1 * PB)) {
+		uprintf("%sDisk is too large\n", bb_prefix);
+		cancel_ops = -1;
+		return 0;
+	}

 	buffer = allocate_buffer(2 * blocks_at_once * block_size);
 	if (!buffer) {
@ -543,9 +548,13 @@ static unsigned int test_rw(HANDLE hDrive, blk64_t last_block, size_t block_size
 			for (i=0; i < got; i++) {
 				if (memcmp(read_buffer + i * block_size,
 					   buffer + i * block_size,
-					   block_size))
+					   block_size)) {
+					if_not_assert(currently_testing * block_size < 1 * PB) 
+						goto out;
+					// coverity[overflow_const]
 					bb_count += bb_output(currently_testing+i-got, CORRUPTION_ERROR);
 				}
+			}
 			if (v_flag > 1)
 				print_status();
 		}
--- a/src/bled/crc32.c
+++ b/src/bled/crc32.c
@ -38,6 +38,7 @@ static void crc32init_le(uint32_t *crc32table_le)
 	crc32table_le[0] = 0;

 	for (i = 1 << (CRC_LE_BITS - 1); i; i >>= 1) {
+		// coverity[overflow_const]
 		crc = (crc >> 1) ^ ((crc & 1) ? CRCPOLY_LE : 0);
 		for (j = 0; j < 1 << CRC_LE_BITS; j += 2 * i)
 			crc32table_le[i + j] = crc ^ crc32table_le[j];
@ -81,6 +82,7 @@ static void crc32init_be(uint32_t *crc32table_be)
 	uint32_t crc = 0x80000000;

 	for (i = 1; i < 1 << CRC_BE_BITS; i <<= 1) {
+		// coverity[overflow_const]
 		crc = (crc << 1) ^ ((crc & 0x80000000) ? CRCPOLY_BE : 0);
 		for (j = 0; j < i; j++)
 			crc32table_be[i + j] = crc ^ crc32table_be[j];
--- a/src/bled/decompress_gunzip.c
+++ b/src/bled/decompress_gunzip.c
@ -280,6 +280,7 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current
 		bytebuffer_offset++;
 		*current += 8;
 	}
+	// coverity[return_overflow]
 	return bitbuffer;
 }

@ -661,7 +662,7 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY)


 /* called once from inflate_block */
-static void inflate_stored_setup(STATE_PARAM int my_n, int my_b, int my_k)
+static void inflate_stored_setup(STATE_PARAM unsigned my_n, unsigned my_b, unsigned my_k)
 {
 	inflate_stored_n = my_n;
 	inflate_stored_b = my_b;
@ -1043,7 +1044,15 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate)
 			n = (nwrote <0)?nwrote:-1;
 			goto ret;
 		}
-		IF_DESKTOP(n += nwrote;)
+#if ENABLE_DESKTOP
+		long long int v = n + nwrote;
+		if (v < n) {
+			bb_simple_error_msg("overflow");
+			n = -1;
+			goto ret;
+		}
+		n = v;
+#endif
 		if (r == 0) break;
 	}

@ -1054,6 +1063,7 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate)
 		bytebuffer_offset--;
 		bytebuffer[bytebuffer_offset] = gunzip_bb & 0xff;
 		gunzip_bb >>= 8;
+		// coverity[overflow_const]
 		gunzip_bk -= 8;
 	}
 ret:
--- a/src/bled/libbb.h
+++ b/src/bled/libbb.h
@ -23,6 +23,7 @@
 #include "platform.h"
 #include "msapi_utf8.h"

+#include <assert.h>
 #include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
--- a/src/bled/xz_config.h
+++ b/src/bled/xz_config.h
@ -18,6 +18,7 @@
 /* #define XZ_DEC_ARMTHUMB */
 /* #define XZ_DEC_SPARC */

+#include <assert.h>
 #include <stdbool.h>
 #include <stdlib.h>
 #include <string.h>
--- a/src/bled/xz_dec_bcj.c
+++ b/src/bled/xz_dec_bcj.c
@ -109,6 +109,7 @@ static noinline_for_stack size_t XZ_FUNC bcj_x86(
 		if ((buf[i] & 0xFE) != 0xE8)
 			continue;

+		// coverity[overflow_const]
 		prev_pos = i - prev_pos;
 		if (prev_pos > 3) {
 			prev_mask = 0;
--- a/src/bled/xz_dec_lzma2.c
+++ b/src/bled/xz_dec_lzma2.c
@ -622,7 +622,7 @@ static void XZ_FUNC lzma_len(struct xz_dec_lzma2 *s, struct lzma_len_dec *l,
 		uint32_t pos_state)
 {
 	uint16_t *probs;
-	uint32_t limit;
+	uint32_t limit, v;

 	if (!rc_bit(&s->rc, &l->choice)) {
 		probs = l->low[pos_state];
@ -641,7 +641,9 @@ static void XZ_FUNC lzma_len(struct xz_dec_lzma2 *s, struct lzma_len_dec *l,
 		}
 	}

-	s->lzma.len += rc_bittree(&s->rc, probs, limit) - limit;
+	v = s->lzma.len + rc_bittree(&s->rc, probs, limit) - limit;
+	assert(v >= s->lzma.len);
+	s->lzma.len = (v < s->lzma.len) ? 0 : v;
 }

 /* Decode a match. The distance will be stored in s->lzma.rep0. */
@ -660,6 +662,7 @@ static void XZ_FUNC lzma_match(struct xz_dec_lzma2 *s, uint32_t pos_state)
 	lzma_len(s, &s->lzma.match_len_dec, pos_state);

 	probs = s->lzma.dist_slot[lzma_get_dist_state(s->lzma.len)];
+	// coverity[overflow_const]
 	dist_slot = rc_bittree(&s->rc, probs, DIST_SLOTS) - DIST_SLOTS;

 	if (dist_slot < DIST_MODEL_START) {
--- a/src/dev.c
+++ b/src/dev.c
@ -137,7 +137,8 @@ BOOL CyclePort(int index)
 	DWORD size;
 	USB_CYCLE_PORT_PARAMS cycle_port;

-	assert(index < MAX_DRIVES);
+	if_not_assert(index < MAX_DRIVES)
+		return -1;
 	// Wait at least 10 secs between resets
 	if (GetTickCount64() < LastReset + 10000ULL) {
 		uprintf("You must wait at least 10 seconds before trying to reset a device");
@ -190,7 +191,8 @@ int CycleDevice(int index)
 	SP_DEVINFO_DATA dev_info_data;
 	SP_PROPCHANGE_PARAMS propchange_params;

-	assert(index < MAX_DRIVES);
+	if_not_assert(index < MAX_DRIVES)
+		return ERROR_INVALID_DRIVE;
 	if ((index < 0) || (safe_strlen(rufus_drive[index].id) < 8))
 		return ERROR_INVALID_PARAMETER;

@ -583,8 +585,10 @@ BOOL GetDevices(DWORD devnum)

 	// Better safe than sorry. And yeah, we could have used arrays of
 	// arrays to avoid this, but it's more readable this way.
-	assert((uasp_start > 0) && (uasp_start < ARRAYSIZE(usbstor_name)));
-	assert((card_start > 0) && (card_start < ARRAYSIZE(genstor_name)));
+	if_not_assert((uasp_start > 0) && (uasp_start < ARRAYSIZE(usbstor_name)))
+		goto out;
+	if_not_assert((card_start > 0) && (card_start < ARRAYSIZE(genstor_name)))
+		goto out;

 	devid_list = NULL;
 	if (full_list_size != 0) {
@ -671,7 +675,8 @@ BOOL GetDevices(DWORD devnum)
 				}
 				// Also test for "_SD&" instead of "_SD_" and so on to allow for devices like
 				// "SCSI\DiskRicoh_Storage_SD&REV_3.0" to be detected.
-				assert(strlen(scsi_card_name_copy) > 1);
+				if_not_assert(strlen(scsi_card_name_copy) > 1)
+					continue;
 				scsi_card_name_copy[strlen(scsi_card_name_copy) - 1] = '&';
 				if (safe_strstr(buffer, scsi_card_name_copy) != NULL) {
 					props.is_CARD = TRUE;
@ -999,7 +1004,8 @@ BOOL GetDevices(DWORD devnum)
 				rufus_drive[num_drives].display_name = safe_strdup(display_name);
 				rufus_drive[num_drives].label = safe_strdup(label);
 				rufus_drive[num_drives].size = drive_size;
-				assert(rufus_drive[num_drives].size != 0);
+				if_not_assert(rufus_drive[num_drives].size != 0)
+					break;
 				if (hub_path != NULL) {
 					rufus_drive[num_drives].hub = safe_strdup(hub_path);
 					rufus_drive[num_drives].port = props.port;
--- a/src/drive.c
+++ b/src/drive.c
@ -280,9 +280,12 @@ char* GetLogicalName(DWORD DriveIndex, uint64_t PartitionOffset, BOOL bKeepTrail

 		// Sanity checks
 		len = safe_strlen(volume_name);
-		assert(len > 4);
-		assert(safe_strnicmp(volume_name, volume_start, 4) == 0);
-		assert(volume_name[len - 1] == '\\');
+		if_not_assert(len > 4)
+			continue;
+		if_not_assert(safe_strnicmp(volume_name, volume_start, 4) == 0)
+			continue;
+		if_not_assert(volume_name[len - 1] == '\\')
+			continue;

 		drive_type = GetDriveTypeA(volume_name);
 		if ((drive_type != DRIVE_REMOVABLE) && (drive_type != DRIVE_FIXED))
@ -1817,6 +1820,7 @@ const char* GetFsName(HANDLE hPhysical, LARGE_INTEGER StartingOffset)
 			}
 		}
 		assert(rev < ARRAYSIZE(ext_names));
+		if (rev < ARRAYSIZE(ext_names))
 			ret = ext_names[rev];
 		goto out;
 	}
--- a/src/ext2fs/dirhash.c
+++ b/src/ext2fs/dirhash.c
@ -45,6 +45,7 @@ static void TEA_transform(__u32 buf[4], __u32 const in[])
 	int	n = 16;

 	do {
+		// coverity[overflow_const]
 		sum += DELTA;
 		b0 += ((b1 << 4)+a) ^ (b1+sum) ^ ((b1 >> 5)+b);
 		b1 += ((b0 << 4)+c) ^ (b0+sum) ^ ((b0 >> 5)+d);
--- a/src/ext2fs/initialize.c
+++ b/src/ext2fs/initialize.c
@ -11,6 +11,7 @@
 */

 #include "config.h"
+#include <assert.h>
 #include <stdio.h>
 #include <string.h>
 #if HAVE_UNISTD_H
@ -374,6 +375,8 @@ ipg_retry:
 	 * adjust inode count to reflect the adjusted inodes_per_group
 	 */
 	if ((__u64)super->s_inodes_per_group * fs->group_desc_count > ~0U) {
+		assert(ipg != 0);
+		if (ipg != 0)
 			ipg--;
 		goto ipg_retry;
 	}
--- a/src/format.c
+++ b/src/format.c
@ -117,8 +117,7 @@ static BOOLEAN __stdcall FormatExCallback(FILE_SYSTEM_CALLBACK_COMMAND Command,
 	if (IS_ERROR(ErrorStatus))
 		return FALSE;

-	assert((actual_fs_type >= 0) && (actual_fs_type < FS_MAX));
-	if ((actual_fs_type < 0) || (actual_fs_type >= FS_MAX))
+	if_not_assert((actual_fs_type >= 0) && (actual_fs_type < FS_MAX))
 		return FALSE;

 	switch(Command) {
@ -1108,6 +1107,10 @@ static int sector_write(int fd, const void* _buf, unsigned int count)

 	if (sec_size == 0)
 		sec_size = 512;
+	if_not_assert(sec_size <= 64 * KB)
+		return -1;
+	if_not_assert(count <= 1 * GB)
+		return -1;

 	// If we are on a sector boundary and count is multiple of the
 	// sector size, just issue a regular write
@ -1116,6 +1119,8 @@ static int sector_write(int fd, const void* _buf, unsigned int count)

 	// If we have an existing partial sector, fill and write it
 	if (sec_buf_pos > 0) {
+		if_not_assert(sec_size >= sec_buf_pos)
+			return -1;
 		fill_size = min(sec_size - sec_buf_pos, count);
 		memcpy(&sec_buf[sec_buf_pos], buf, fill_size);
 		sec_buf_pos += fill_size;
@ -1133,10 +1138,18 @@ static int sector_write(int fd, const void* _buf, unsigned int count)
 	written = _write(fd, &buf[fill_size], sec_num * sec_size);
 	if (written < 0)
 		return written;
-	else if (written != sec_num * sec_size)
-		return fill_size + written;
+	if (written != sec_num * sec_size) {
+		// Detect overflows
+		// coverity[overflow]
+		int v = fill_size + written;
+		if_not_assert(v >= fill_size)
+			return -1;
+		else
+			return v;
+	}
 	sec_buf_pos = count - fill_size - written;
-	assert(sec_buf_pos < sec_size);
+	if_not_assert(sec_buf_pos < sec_size)
+		return -1;

 	// Keep leftover bytes, if any, in the sector buffer
 	if (sec_buf_pos != 0)
@ -1180,7 +1193,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 			uprintf("Could not allocate disk zeroing buffer");
 			goto out;
 		}
-		assert((uintptr_t)buffer % SelectedDrive.SectorSize == 0);
+		if_not_assert((uintptr_t)buffer % SelectedDrive.SectorSize == 0)
+			goto out;

 		// Clear buffer
 		memset(buffer, fast_zeroing ? 0xff : 0x00, buf_size);
@ -1192,7 +1206,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 				uprintf("Could not allocate disk comparison buffer");
 				goto out;
 			}
-			assert((uintptr_t)cmp_buffer % SelectedDrive.SectorSize == 0);
+			if_not_assert((uintptr_t)cmp_buffer % SelectedDrive.SectorSize == 0)
+				goto out;
 		}

 		read_size[0] = buf_size;
@ -1290,7 +1305,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 			uprintf("Could not allocate disk write buffer");
 			goto out;
 		}
-		assert((uintptr_t)sec_buf % SelectedDrive.SectorSize == 0);
+		if_not_assert((uintptr_t)sec_buf% SelectedDrive.SectorSize == 0)
+			goto out;
 		sec_buf_pos = 0;
 		bled_init(256 * KB, uprintf, NULL, sector_write, update_progress, NULL, &ErrorStatus);
 		bled_ret = bled_uncompress_with_handles(hSourceImage, hPhysicalDrive, img_report.compression_type);
@ -1312,7 +1328,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 			goto out;
 		}
 	} else {
-		assert(img_report.compression_type != IMG_COMPRESSION_FFU);
+		if_not_assert(img_report.compression_type != IMG_COMPRESSION_FFU)
+			goto out;
 		// VHD/VHDX require mounting the image first
 		if (img_report.compression_type == IMG_COMPRESSION_VHD ||
 			img_report.compression_type == IMG_COMPRESSION_VHDX) {
@ -1338,7 +1355,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 			uprintf("Could not allocate disk write buffer");
 			goto out;
 		}
-		assert((uintptr_t)buffer % SelectedDrive.SectorSize == 0);
+		if_not_assert((uintptr_t)buffer% SelectedDrive.SectorSize == 0)
+			goto out;

 		// Start the initial read
 		ReadFileAsync(hSourceImage, &buffer[read_bufnum * buf_size], (DWORD)MIN(buf_size, target_size));
@ -1365,7 +1383,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)

 			// 2. WriteFile fails unless the size is a multiple of sector size
 			if (read_size[read_bufnum] % SelectedDrive.SectorSize != 0) {
-				assert(HI_ALIGN_X_TO_Y(read_size[read_bufnum], SelectedDrive.SectorSize) <= buf_size);
+				if_not_assert(HI_ALIGN_X_TO_Y(read_size[read_bufnum], SelectedDrive.SectorSize) <= buf_size)
+					goto out;
 				read_size[read_bufnum] = HI_ALIGN_X_TO_Y(read_size[read_bufnum], SelectedDrive.SectorSize);
 			}

@ -1660,7 +1679,8 @@ DWORD WINAPI FormatThread(void* param)
 		if (img_report.compression_type == IMG_COMPRESSION_FFU) {
 			char cmd[MAX_PATH + 128], *physical = NULL;
 			// Should have been filtered out beforehand
-			assert(has_ffu_support);
+			if_not_assert(has_ffu_support)
+				goto out;
 			safe_unlockclose(hPhysicalDrive);
 			physical = GetPhysicalName(SelectedDrive.DeviceNumber);
 			static_sprintf(cmd, "dism /Apply-Ffu /ApplyDrive:%s /ImageFile:\"%s\"", physical, image_path);
@ -1848,8 +1868,7 @@ DWORD WINAPI FormatThread(void* param)
 			// All good
 		} else if (target_type == TT_UEFI) {
 			// For once, no need to do anything - just check our sanity
-			assert((boot_type == BT_IMAGE) && IS_EFI_BOOTABLE(img_report) && (fs_type <= FS_NTFS));
-			if ( (boot_type != BT_IMAGE) || !IS_EFI_BOOTABLE(img_report) || (fs_type > FS_NTFS) ) {
+			if_not_assert((boot_type == BT_IMAGE) && IS_EFI_BOOTABLE(img_report) && (fs_type <= FS_NTFS)) {
 				ErrorStatus = RUFUS_ERROR(ERROR_INSTALL_FAILURE);
 				goto out;
 			}
@ -1924,7 +1943,8 @@ DWORD WINAPI FormatThread(void* param)
 						ErrorStatus = RUFUS_ERROR(APPERR(ERROR_CANT_PATCH));
 				}
 			} else {
-				assert(!img_report.is_windows_img);
+				if_not_assert(!img_report.is_windows_img)
+					goto out;
 				if (!ExtractISO(image_path, drive_name, FALSE)) {
 					if (!IS_ERROR(ErrorStatus))
 						ErrorStatus = RUFUS_ERROR(APPERR(ERROR_ISO_EXTRACT));
--- a/src/iso.c
+++ b/src/iso.c
@ -1571,8 +1571,8 @@ uint32_t ReadISOFileToBuffer(const char* iso, const char* iso_file, uint8_t** bu
 		goto out;
 	}
 	file_length = udf_get_file_length(p_udf_file);
-	if (file_length > UINT32_MAX) {
-		uprintf("Only files smaller than 4 GB are supported");
+	if (file_length > 1 * GB) {
+		uprintf("Only files smaller than 1 GB are supported");
 		goto out;
 	}
 	nblocks = (uint32_t)((file_length + UDF_BLOCKSIZE - 1) / UDF_BLOCKSIZE);
@ -1604,10 +1604,11 @@ try_iso:
 		goto out;
 	}
 	file_length = p_statbuf->total_size;
-	if (file_length > UINT32_MAX) {
-		uprintf("Only files smaller than 4 GB are supported");
+	if (file_length > 1 * GB) {
+		uprintf("Only files smaller than 1 GB are supported");
 		goto out;
 	}
+	// coverity[cast_overflow]
 	nblocks = (uint32_t)((file_length + ISO_BLOCKSIZE - 1) / ISO_BLOCKSIZE);
 	*buf = malloc(nblocks * ISO_BLOCKSIZE + 1);
 	if (*buf == NULL) {
--- a/src/process.c
+++ b/src/process.c
@ -407,7 +407,8 @@ static PWSTR GetProcessCommandLine(HANDLE hProcess)

 		ucmdline = (UNICODE_STRING*)(pp + cmd_offset);
 		// In the absolute, someone could craft a process with dodgy attributes to try to cause an overflow
-		ucmdline->Length = min(ucmdline->Length, 512);
+		// coverity[cast_overflow]
+		ucmdline->Length = min(ucmdline->Length, (USHORT)512);
 		wcmdline = (PWSTR)calloc(ucmdline->Length + 1, sizeof(WCHAR));
 		if (!ReadProcessMemory(hProcess, ucmdline->Buffer, wcmdline, ucmdline->Length, NULL)) {
 			safe_free(wcmdline);
@ -493,8 +494,7 @@ static DWORD WINAPI SearchProcessThread(LPVOID param)
 		// Work on our own copy of the handle names so we don't have to hold the
 		// mutex for string comparison. Update only if the version has changed.
 		if (blocking_process.nVersion[0] != blocking_process.nVersion[1]) {
-			assert(blocking_process.wHandleName != NULL && blocking_process.nHandles != 0);
-			if (blocking_process.wHandleName == NULL || blocking_process.nHandles == 0) {
+			if_not_assert(blocking_process.wHandleName != NULL && blocking_process.nHandles != 0) {
 				ReleaseMutex(hLock);
 				goto out;
 			}
@ -930,8 +930,7 @@ BYTE GetProcessSearch(uint32_t timeout, uint8_t access_mask, BOOL bIgnoreStalePr
 		return 0;
 	}

-	assert(blocking_process.hLock != NULL);
-	if (blocking_process.hLock == NULL)
+	if_not_assert(blocking_process.hLock != NULL)
 		return 0;

 retry:
--- a/src/registry.h
+++ b/src/registry.h
@ -37,11 +37,9 @@ static __inline BOOL DeleteRegistryKey(HKEY key_root, const char* key_name)
 	HKEY hSoftware = NULL;
 	LONG s;

-	assert(key_root == REGKEY_HKCU);
-	if (key_root != REGKEY_HKCU)
+	if_not_assert(key_root == REGKEY_HKCU)
 		return FALSE;
-	assert(key_name != NULL);
-	if (key_name == NULL)
+	if_not_assert(key_name != NULL)
 		return FALSE;

 	if (RegOpenKeyExA(key_root, "SOFTWARE", 0, KEY_READ|KEY_CREATE_SUB_KEY, &hSoftware) != ERROR_SUCCESS)
@ -135,15 +133,12 @@ static __inline BOOL _SetRegistryKey(HKEY key_root, const char* key_name, DWORD
 	HKEY hRoot = NULL, hApp = NULL;
 	DWORD dwDisp, dwType = reg_type;

-	assert(key_name != NULL);
-	if (key_name == NULL)
+	if_not_assert(key_name != NULL)
 		return FALSE;
-	assert(key_root == REGKEY_HKCU);
-	if (key_root != REGKEY_HKCU)
+	if_not_assert(key_root == REGKEY_HKCU)
 		return FALSE;
 	// Validate that we are always dealing with a short key
-	assert(strchr(key_name, '\\') == NULL);
-	if (strchr(key_name, '\\') != NULL)
+	if_not_assert(strchr(key_name, '\\') == NULL)
 		return FALSE;

 	if (RegOpenKeyExA(key_root, NULL, 0, KEY_READ|KEY_CREATE_SUB_KEY, &hRoot) != ERROR_SUCCESS) {
--- a/src/rufus.c
+++ b/src/rufus.c
@ -1131,7 +1131,8 @@ static void DisplayISOProps(void)
 // Insert the image name into the Boot selection dropdown and (re)populate the Image option dropdown
 static void UpdateImage(BOOL update_image_option_only)
 {
-	assert(image_index != 0);
+	if_not_assert(image_index != 0)
+		return;

 	if (!update_image_option_only) {
 		if (ComboBox_GetItemData(hBootType, image_index) == BT_IMAGE)
@ -1429,8 +1430,7 @@ static DWORD WINAPI BootCheckThread(LPVOID param)
 	}

 	if (boot_type == BT_IMAGE) {
-		assert(image_path != NULL);
-		if (image_path == NULL)
+		if_not_assert(image_path != NULL)
 			goto out;
 		if ((size_check) && (img_report.projected_size > (uint64_t)SelectedDrive.DiskSize)) {
 			// This ISO image is too big for the selected target
--- a/src/rufus.h
+++ b/src/rufus.h
@ -15,6 +15,7 @@
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
+#include <assert.h>
 #include <windows.h>
 #include <malloc.h>
 #include <inttypes.h>
@ -36,6 +37,7 @@
 #define MB                          1048576LL
 #define GB                          1073741824LL
 #define TB                          1099511627776LL
+#define PB                          1125899906842624LL

 /*
 * Features not ready for prime time and that may *DESTROY* your data - USE AT YOUR OWN RISKS!
@ -186,6 +188,7 @@ static __inline void static_repchr(char* p, char s, char r) {
 }
 #define to_unix_path(str) static_repchr(str, '\\', '/')
 #define to_windows_path(str) static_repchr(str, '/', '\\')
+#define if_not_assert(cond) assert(cond); if (!(cond))

 extern void uprintf(const char *format, ...);
 extern void uprintfs(const char *str);
--- a/src/rufus.rc
+++ b/src/rufus.rc
@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.6.2189"
+CAPTION "Rufus 4.6.2190"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
    LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@ -397,8 +397,8 @@ END
 //

 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,6,2189,0
- PRODUCTVERSION 4,6,2189,0
+ FILEVERSION 4,6,2190,0
+ PRODUCTVERSION 4,6,2190,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -416,13 +416,13 @@ BEGIN
            VALUE "Comments", "https://rufus.ie"
            VALUE "CompanyName", "Akeo Consulting"
            VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "4.6.2189"
+            VALUE "FileVersion", "4.6.2190"
            VALUE "InternalName", "Rufus"
            VALUE "LegalCopyright", "<22> 2011-2024 Pete Batard (GPL v3)"
            VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
            VALUE "OriginalFilename", "rufus-4.6.exe"
            VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "4.6.2189"
+            VALUE "ProductVersion", "4.6.2190"
        END
    END
    BLOCK "VarFileInfo"
--- a/src/stdfn.c
+++ b/src/stdfn.c
@ -80,8 +80,7 @@ BOOL htab_create(uint32_t nel, htab_table* htab)
 	if (htab == NULL) {
 		return FALSE;
 	}
-	assert(htab->table == NULL);
-	if (htab->table != NULL) {
+	if_not_assert(htab->table == NULL) {
 		uprintf("Warning: htab_create() was called with a non empty table");
 		return FALSE;
 	}
@ -197,8 +196,7 @@ uint32_t htab_hash(char* str, htab_table* htab)
 	// Not found => New entry

 	// If the table is full return an error
-	assert(htab->filled < htab->size);
-	if (htab->filled >= htab->size) {
+	if_not_assert(htab->filled < htab->size) {
 		uprintf("Hash table is full (%d entries)", htab->size);
 		return 0;
 	}
@ -1199,7 +1197,8 @@ BOOL MountRegistryHive(const HKEY key, const char* pszHiveName, const char* pszH
 	LSTATUS status;
 	HANDLE token = INVALID_HANDLE_VALUE;

-	assert((key == HKEY_LOCAL_MACHINE) || (key == HKEY_USERS));
+	if_not_assert((key == HKEY_LOCAL_MACHINE) || (key == HKEY_USERS))
+		return FALSE;

 	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) {
 		uprintf("Could not get current process token: %s", WindowsErrorString());
@ -1230,7 +1229,8 @@ BOOL UnmountRegistryHive(const HKEY key, const char* pszHiveName)
 {
 	LSTATUS status;

-	assert((key == HKEY_LOCAL_MACHINE) || (key == HKEY_USERS));
+	if_not_assert((key == HKEY_LOCAL_MACHINE) || (key == HKEY_USERS))
+		return FALSE;

 	status = RegUnLoadKeyA(key, pszHiveName);
 	if (status != ERROR_SUCCESS) {
--- a/src/stdio.c
+++ b/src/stdio.c
@ -857,7 +857,8 @@ uint32_t ResolveDllAddress(dll_resolver_t* resolver)

 	// NB: SymLoadModuleEx() does not load a PDB unless the file has an explicit '.pdb' extension
 	base_address = pfSymLoadModuleEx(hRufus, NULL, path, NULL, DEFAULT_BASE_ADDRESS, 0, NULL, 0);
-	assert(base_address == DEFAULT_BASE_ADDRESS);
+	if_not_assert(base_address == DEFAULT_BASE_ADDRESS)
+		goto out;
 	// On Windows 11 ARM64 the following call will return *TWO* different addresses for the same
 	// call, because most Windows DLL's are ARM64X, which means that they are an unholy union of
 	// both X64 and ARM64 code in the same binary...
--- a/src/stdlg.c
+++ b/src/stdlg.c
@ -588,7 +588,8 @@ INT_PTR CALLBACK NotificationCallback(HWND hDlg, UINT message, WPARAM wParam, LP
 			return (INT_PTR)TRUE;
 		case IDC_MORE_INFO:
 			if (notification_more_info != NULL) {
-				assert(notification_more_info->callback != NULL);
+				if_not_assert(notification_more_info->callback != NULL)
+					return (INT_PTR)FALSE;
 				if (notification_more_info->id == MORE_INFO_URL) {
 					ShellExecuteA(hDlg, "open", notification_more_info->url, NULL, NULL, SW_SHOWNORMAL);
 				} else {
--- a/src/ui.c
+++ b/src/ui.c
@ -575,7 +575,8 @@ void SetSectionHeaders(HWND hDlg)
 		memset(wtmp, 0, sizeof(wtmp));
 		GetWindowTextW(hCtrl, wtmp, ARRAYSIZE(wtmp) - 4);
 		wlen = wcslen(wtmp);
-		assert(wlen < ARRAYSIZE(wtmp) - 2);
+		if_not_assert(wlen < ARRAYSIZE(wtmp) - 2)
+			break;
 		wtmp[wlen++] = L' ';
 		wtmp[wlen++] = L' ';
 		SetWindowTextW(hCtrl, wtmp);
--- a/src/vhd.c
+++ b/src/vhd.c
@ -1006,8 +1006,9 @@ static DWORD WINAPI VhdSaveImageThread(void* param)
 	OVERLAPPED overlapped = { 0 };
 	DWORD r = ERROR_NOT_FOUND, flags;

-	assert(img_save->Type == VIRTUAL_STORAGE_TYPE_DEVICE_VHD ||
-		img_save->Type == VIRTUAL_STORAGE_TYPE_DEVICE_VHDX);
+	if_not_assert(img_save->Type == VIRTUAL_STORAGE_TYPE_DEVICE_VHD ||
+		img_save->Type == VIRTUAL_STORAGE_TYPE_DEVICE_VHDX)
+		return ERROR_INVALID_PARAMETER;

 	UpdateProgressWithInfoInit(NULL, FALSE);

--- a/src/wue.c
+++ b/src/wue.c
@ -905,7 +905,8 @@ BOOL ApplyWindowsCustomization(char drive_letter, int flags)
 			// If we have a windowsPE section, copy the answer files to the root of boot.wim as
 			// Autounattend.xml. This also results in that file being automatically copied over
 			// to %WINDIR%\Panther\unattend.xml for later passes processing.
-			assert(mount_path != NULL);
+			if_not_assert(mount_path != NULL)
+				goto out;
 			static_sprintf(path, "%s\\Autounattend.xml", mount_path);
 			if (!CopyFileU(unattend_xml_path, path, TRUE)) {
 				uprintf("Could not create boot.wim 'Autounattend.xml': %s", WindowsErrorString());