[misc] fix a potential double free and avoid nonsensical error messages

* buf could be freed twice in iso.c. * Using HRESULT_CODE(error_code) in WindowsErrorString() could lead to "Error: SUCCESS" messages. * Closes #2524. * Also try to address potential issues that appear to have been seen in the wild.
10 months ago · f453dc272b
6 changed files with 20 additions and 15 deletions
--- a/src/dev.c
+++ b/src/dev.c
@ -877,8 +877,8 @@ BOOL GetDevices(DWORD devnum)
 				continue;
 			}

-			hDrive = CreateFileA(devint_detail_data->DevicePath, GENERIC_READ|GENERIC_WRITE,
-				FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+			hDrive = CreateFileWithTimeout(devint_detail_data->DevicePath, GENERIC_READ|GENERIC_WRITE,
+				FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL, 3000);
 			if(hDrive == INVALID_HANDLE_VALUE) {
 				uprintf("Could not open '%s': %s", devint_detail_data->DevicePath, WindowsErrorString());
 				continue;
--- a/src/drive.c
+++ b/src/drive.c
@ -1894,10 +1894,12 @@ BOOL GetDrivePartitionData(DWORD DriveIndex, char* FileSystemName, DWORD FileSys
 	SelectedDrive.SectorsPerTrack = DiskGeometry->Geometry.SectorsPerTrack;
 	SelectedDrive.MediaType = DiskGeometry->Geometry.MediaType;

-	suprintf("Disk type: %s, Disk size: %s, Sector size: %d bytes", (SelectedDrive.MediaType == FixedMedia)?"FIXED":"Removable",
+	suprintf("Disk type: %s, Disk size: %s, Sector size: %d bytes",
+		(SelectedDrive.MediaType == FixedMedia) ? "FIXED" : "Removable",
 		SizeToHumanReadable(SelectedDrive.DiskSize, FALSE, TRUE), SelectedDrive.SectorSize);
 	suprintf("Cylinders: %" PRIi64 ", Tracks per cylinder: %d, Sectors per track: %d",
 		DiskGeometry->Geometry.Cylinders, DiskGeometry->Geometry.TracksPerCylinder, DiskGeometry->Geometry.SectorsPerTrack);
+	assert(SelectedDrive.SectorSize != 0);

 	r = DeviceIoControl(hPhysical, IOCTL_DISK_GET_DRIVE_LAYOUT_EX, NULL, 0, layout, sizeof(layout), &size, NULL );
 	if (!r || size <= 0) {
@ -1965,7 +1967,7 @@ BOOL GetDrivePartitionData(DWORD DriveIndex, char* FileSystemName, DWORD FileSys
 					SizeToHumanReadable(DriveLayout->PartitionEntry[i].PartitionLength.QuadPart, TRUE, FALSE),
 					DriveLayout->PartitionEntry[i].PartitionLength.QuadPart,
 					DriveLayout->PartitionEntry[i].StartingOffset.QuadPart / SelectedDrive.SectorSize,
-					DriveLayout->PartitionEntry[i].Mbr.BootIndicator?"Yes":"No");
+					DriveLayout->PartitionEntry[i].Mbr.BootIndicator ? "Yes" : "No");
 				// suprintf("  GUID: %s", GuidToString(&DriveLayout->PartitionEntry[i].Mbr.PartitionId));
 				SelectedDrive.FirstDataSector = min(SelectedDrive.FirstDataSector,
 					(DWORD)(DriveLayout->PartitionEntry[i].StartingOffset.QuadPart / SelectedDrive.SectorSize));
--- a/src/hash.c
+++ b/src/hash.c
@ -1607,8 +1607,7 @@ static int cmp_pe_section(const void* arg1, const void* arg2)
 * @len:    Size of @efi
 * @regp:   Pointer to a list of regions
 *
- * Parse image binary in PE32(+) format, assuming that sanity of PE image
- * has been checked by a caller.
+ * Parse image binary in PE32(+) format.
 *
 * Return:  TRUE on success, FALSE on error
 */
@ -1623,7 +1622,11 @@ BOOL efi_image_parse(uint8_t* efi, size_t len, struct efi_image_regions** regp)
 	uint32_t align, size, authsz;
 	size_t bytes_hashed;

+	if (len < 0x80)
+		return FALSE;
 	dos = (void*)efi;
+	if (dos->e_lfanew > len - 0x40)
+		return FALSE;
 	nt = (void*)(efi + dos->e_lfanew);
 	authsz = 0;

--- a/src/iso.c
+++ b/src/iso.c
@ -1268,7 +1268,7 @@ out:
 							sl_index = i;
 						}
 					}
-					free(buf);
+					safe_free(buf);
 				}
 				DeleteFileU(isolinux_tmp);
 			}
--- a/src/rufus.rc
+++ b/src/rufus.rc
@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.6.2194"
+CAPTION "Rufus 4.6.2195"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
    LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@ -397,8 +397,8 @@ END
 //

 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,6,2194,0
- PRODUCTVERSION 4,6,2194,0
+ FILEVERSION 4,6,2195,0
+ PRODUCTVERSION 4,6,2195,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -416,13 +416,13 @@ BEGIN
            VALUE "Comments", "https://rufus.ie"
            VALUE "CompanyName", "Akeo Consulting"
            VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "4.6.2194"
+            VALUE "FileVersion", "4.6.2195"
            VALUE "InternalName", "Rufus"
            VALUE "LegalCopyright", "� 2011-2024 Pete Batard (GPL v3)"
            VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
            VALUE "OriginalFilename", "rufus-4.6.exe"
            VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "4.6.2194"
+            VALUE "ProductVersion", "4.6.2195"
        END
    END
    BLOCK "VarFileInfo"
--- a/src/stdio.c
+++ b/src/stdio.c
@ -260,8 +260,8 @@ const char *WindowsErrorString(void)
 	// coverity[var_deref_model]
 	size = FormatMessageU(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS |
 		((hModule != NULL) ? FORMAT_MESSAGE_FROM_HMODULE : 0), hModule,
-		HRESULT_CODE(error_code), MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US),
-		&err_string[presize], (DWORD)(sizeof(err_string)-strlen(err_string)), NULL);
+		error_code, MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US),
+		&err_string[presize], (DWORD)(sizeof(err_string) - strlen(err_string)), NULL);
 	if (size == 0) {
 		format_error = GetLastError();
 		switch (format_error) {
@ -519,7 +519,7 @@ HANDLE CreateFileWithTimeout(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwS
 	if (hThread != NULL) {
 		if (WaitForSingleObject(hThread, dwTimeOut) == WAIT_TIMEOUT) {
 			CancelSynchronousIo(hThread);
-			WaitForSingleObject(hThread, INFINITE);
+			WaitForSingleObject(hThread, 30000);
 			params.dwError = WAIT_TIMEOUT;
 		}
 		CloseHandle(hThread);