Skip to content

Commit

Permalink
[misc] fix a potential double free and avoid nonsensical error messages
Browse files Browse the repository at this point in the history
* buf could be freed twice in iso.c.
* Using HRESULT_CODE(error_code) in WindowsErrorString() could lead to "Error: SUCCESS" messages.
* Closes #2524.
* Also try to address potential issues that appear to have been seen in the wild.
  • Loading branch information
pbatard committed Sep 30, 2024
1 parent 248a37e commit f453dc2
Show file tree
Hide file tree
Showing 6 changed files with 20 additions and 15 deletions.
4 changes: 2 additions & 2 deletions src/dev.c
Original file line number Diff line number Diff line change
Expand Up @@ -877,8 +877,8 @@ BOOL GetDevices(DWORD devnum)
continue;
}

hDrive = CreateFileA(devint_detail_data->DevicePath, GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
hDrive = CreateFileWithTimeout(devint_detail_data->DevicePath, GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL, 3000);
if(hDrive == INVALID_HANDLE_VALUE) {
uprintf("Could not open '%s': %s", devint_detail_data->DevicePath, WindowsErrorString());
continue;
Expand Down
6 changes: 4 additions & 2 deletions src/drive.c
Original file line number Diff line number Diff line change
Expand Up @@ -1894,10 +1894,12 @@ BOOL GetDrivePartitionData(DWORD DriveIndex, char* FileSystemName, DWORD FileSys
SelectedDrive.SectorsPerTrack = DiskGeometry->Geometry.SectorsPerTrack;
SelectedDrive.MediaType = DiskGeometry->Geometry.MediaType;

suprintf("Disk type: %s, Disk size: %s, Sector size: %d bytes", (SelectedDrive.MediaType == FixedMedia)?"FIXED":"Removable",
suprintf("Disk type: %s, Disk size: %s, Sector size: %d bytes",
(SelectedDrive.MediaType == FixedMedia) ? "FIXED" : "Removable",
SizeToHumanReadable(SelectedDrive.DiskSize, FALSE, TRUE), SelectedDrive.SectorSize);
suprintf("Cylinders: %" PRIi64 ", Tracks per cylinder: %d, Sectors per track: %d",
DiskGeometry->Geometry.Cylinders, DiskGeometry->Geometry.TracksPerCylinder, DiskGeometry->Geometry.SectorsPerTrack);
assert(SelectedDrive.SectorSize != 0);

r = DeviceIoControl(hPhysical, IOCTL_DISK_GET_DRIVE_LAYOUT_EX, NULL, 0, layout, sizeof(layout), &size, NULL );
if (!r || size <= 0) {
Expand Down Expand Up @@ -1965,7 +1967,7 @@ BOOL GetDrivePartitionData(DWORD DriveIndex, char* FileSystemName, DWORD FileSys
SizeToHumanReadable(DriveLayout->PartitionEntry[i].PartitionLength.QuadPart, TRUE, FALSE),
DriveLayout->PartitionEntry[i].PartitionLength.QuadPart,
DriveLayout->PartitionEntry[i].StartingOffset.QuadPart / SelectedDrive.SectorSize,
DriveLayout->PartitionEntry[i].Mbr.BootIndicator?"Yes":"No");
DriveLayout->PartitionEntry[i].Mbr.BootIndicator ? "Yes" : "No");
// suprintf(" GUID: %s", GuidToString(&DriveLayout->PartitionEntry[i].Mbr.PartitionId));
SelectedDrive.FirstDataSector = min(SelectedDrive.FirstDataSector,
(DWORD)(DriveLayout->PartitionEntry[i].StartingOffset.QuadPart / SelectedDrive.SectorSize));
Expand Down
7 changes: 5 additions & 2 deletions src/hash.c
Original file line number Diff line number Diff line change
Expand Up @@ -1607,8 +1607,7 @@ static int cmp_pe_section(const void* arg1, const void* arg2)
* @len: Size of @efi
* @regp: Pointer to a list of regions
*
* Parse image binary in PE32(+) format, assuming that sanity of PE image
* has been checked by a caller.
* Parse image binary in PE32(+) format.
*
* Return: TRUE on success, FALSE on error
*/
Expand All @@ -1623,7 +1622,11 @@ BOOL efi_image_parse(uint8_t* efi, size_t len, struct efi_image_regions** regp)
uint32_t align, size, authsz;
size_t bytes_hashed;

if (len < 0x80)
return FALSE;
dos = (void*)efi;
if (dos->e_lfanew > len - 0x40)
return FALSE;
nt = (void*)(efi + dos->e_lfanew);
authsz = 0;

Expand Down
2 changes: 1 addition & 1 deletion src/iso.c
Original file line number Diff line number Diff line change
Expand Up @@ -1268,7 +1268,7 @@ BOOL ExtractISO(const char* src_iso, const char* dest_dir, BOOL scan)
sl_index = i;
}
}
free(buf);
safe_free(buf);
}
DeleteFileU(isolinux_tmp);
}
Expand Down
10 changes: 5 additions & 5 deletions src/rufus.rc
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
IDD_DIALOG DIALOGEX 12, 12, 232, 326
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_ACCEPTFILES
CAPTION "Rufus 4.6.2194"
CAPTION "Rufus 4.6.2195"
FONT 9, "Segoe UI Symbol", 400, 0, 0x0
BEGIN
LTEXT "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
Expand Down Expand Up @@ -397,8 +397,8 @@ END
//

VS_VERSION_INFO VERSIONINFO
FILEVERSION 4,6,2194,0
PRODUCTVERSION 4,6,2194,0
FILEVERSION 4,6,2195,0
PRODUCTVERSION 4,6,2195,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
Expand All @@ -416,13 +416,13 @@ BEGIN
VALUE "Comments", "https://rufus.ie"
VALUE "CompanyName", "Akeo Consulting"
VALUE "FileDescription", "Rufus"
VALUE "FileVersion", "4.6.2194"
VALUE "FileVersion", "4.6.2195"
VALUE "InternalName", "Rufus"
VALUE "LegalCopyright", "� 2011-2024 Pete Batard (GPL v3)"
VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
VALUE "OriginalFilename", "rufus-4.6.exe"
VALUE "ProductName", "Rufus"
VALUE "ProductVersion", "4.6.2194"
VALUE "ProductVersion", "4.6.2195"
END
END
BLOCK "VarFileInfo"
Expand Down
6 changes: 3 additions & 3 deletions src/stdio.c
Original file line number Diff line number Diff line change
Expand Up @@ -260,8 +260,8 @@ const char *WindowsErrorString(void)
// coverity[var_deref_model]
size = FormatMessageU(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS |
((hModule != NULL) ? FORMAT_MESSAGE_FROM_HMODULE : 0), hModule,
HRESULT_CODE(error_code), MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US),
&err_string[presize], (DWORD)(sizeof(err_string)-strlen(err_string)), NULL);
error_code, MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US),
&err_string[presize], (DWORD)(sizeof(err_string) - strlen(err_string)), NULL);
if (size == 0) {
format_error = GetLastError();
switch (format_error) {
Expand Down Expand Up @@ -519,7 +519,7 @@ HANDLE CreateFileWithTimeout(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwS
if (hThread != NULL) {
if (WaitForSingleObject(hThread, dwTimeOut) == WAIT_TIMEOUT) {
CancelSynchronousIo(hThread);
WaitForSingleObject(hThread, INFINITE);
WaitForSingleObject(hThread, 30000);
params.dwError = WAIT_TIMEOUT;
}
CloseHandle(hThread);
Expand Down

0 comments on commit f453dc2

Please sign in to comment.