[iso] fix a buffer overflow in syslinux.c

* p[safe_strlen(p)] = 0; was pointless and could lead to a buffer overflow if
  the string was not already NUL terminated, so remove it and make sure we
  process a buffer that either contains legitimate Syslinux version strings
  (that are NUL terminated always) or that has been read through read_file()
  (that always adds a NUL terminator to the buffer).
* Also fix some whitespaces in related code sections and switch to using
  read_file() for GRUB version lookup.
* Vulnerability discovered and reported by Mansour Gashasbi (@gashasbi).

src/iso.c

@@ -1233,18 +1233,9 @@ out:
 				char isolinux_tmp[MAX_PATH];
 				static_sprintf(isolinux_tmp, "%sisolinux.tmp", temp_dir);
 				size = (size_t)ExtractISOFile(src_iso, isolinux_path.String[i], isolinux_tmp, FILE_ATTRIBUTE_NORMAL);
-				if (size == 0) {
+				if ((size == 0) || (read_file(isolinux_tmp, &buf) != size)) {
 					uprintf("  Could not access %s", isolinux_path.String[i]);
 				} else {
-					buf = (char*)calloc(size, 1);
-					if (buf == NULL) break;
-					fd = fopen(isolinux_tmp, "rb");
-					if (fd == NULL) {
-						free(buf);
-						continue;
-					}
-					fread(buf, 1, size, fd);
-					fclose(fd);
 					sl_version = GetSyslinuxVersion(buf, size, &ext);
 					if (img_report.sl_version == 0) {
 						static_strcpy(img_report.sl_version_ext, ext);
@@ -1315,15 +1306,10 @@ out:
 			// coverity[swapped_arguments]
 			if (GetTempFileNameU(temp_dir, APPLICATION_NAME, 0, path) != 0) {
 				size = (size_t)ExtractISOFile(src_iso, grub_path, path, FILE_ATTRIBUTE_NORMAL);
-				buf = (char*)calloc(size, 1);
+				if ((size == 0) || (read_file(path, &buf) != size))
-				fd = fopen(path, "rb");
-				if ((size == 0) || (buf == NULL) || (fd == NULL)) {
 					uprintf("  Could not read Grub version from '%s'", grub_path);
-				} else {
+				else
-					fread(buf, 1, size, fd);
-					fclose(fd);
 					GetGrubVersion(buf, size);
-				}
 				free(buf);
 				DeleteFileU(path);
 			}

src/rufus.rc

@@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.5.2127"
+CAPTION "Rufus 4.5.2128"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
     LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@@ -397,8 +397,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,5,2127,0
+ FILEVERSION 4,5,2128,0
- PRODUCTVERSION 4,5,2127,0
+ PRODUCTVERSION 4,5,2128,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -416,13 +416,13 @@ BEGIN
             VALUE "Comments", "https://rufus.ie"
             VALUE "CompanyName", "Akeo Consulting"
             VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "4.5.2127"
+            VALUE "FileVersion", "4.5.2128"
             VALUE "InternalName", "Rufus"
             VALUE "LegalCopyright", "<22> 2011-2024 Pete Batard (GPL v3)"
             VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
             VALUE "OriginalFilename", "rufus-4.5.exe"
             VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "4.5.2127"
+            VALUE "ProductVersion", "4.5.2128"
         END
     END
     BLOCK "VarFileInfo"

src/syslinux.c

@@ -419,9 +419,11 @@ uint16_t GetSyslinuxVersion(char* buf, size_t buf_size, char** ext)
 			  continue;
 			i += sizeof(LINUX);
 			version = (((uint8_t)strtoul(&buf[i], &p, 10)) << 8) + (uint8_t)strtoul(&p[1], &p, 10);
+			// Our buffer is either from our internal legit syslinux (i.e. with a NUL terminated
+			// version string) or from a buffer that has been NUL-terminated through read_file(),
+			// so the string we work with in p is always NUL terminated at this stage.
 			if (version == 0)
 				continue;
-			p[safe_strlen(p)] = 0;
 			// Ensure that our extra version string starts with a slash
 			*p = '/';
 			// Remove the x.yz- duplicate if present