mirrors/rufus
1
0
Fork 0
mirror of https://github.com/pbatard/rufus.git synced 2025-06-02 15:49:52 -04:00
Code Issues Projects Releases Packages Wiki Activity

[misc] fix a buffer overflow issue in RunCommand

Browse source 
* The size in CreatePipe is a suggested size, not an absolute one.
* As a result, we could overflow our fixed size buffer.
This commit is contained in:
Pete Batard 2015-06-25 19:51:42 +01:00
parent 8b880a7d31
commit d2576a9f5e
2 changed files with 22 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/stdfn.c
View file

@ -535,16 +535,18 @@ DWORD GetResourceSize(HMODULE module, char* name, char* type, const char* desc)
// Run a console command, with optional redirection of stdout and stderr to our log
DWORD RunCommand(const char* cmd, const char* dir, BOOL log)
{
DWORD ret, dwRead, dwAvail, dwMsg;
DWORD ret, dwRead, dwAvail, dwPipeSize = 4096;
STARTUPINFOA si = {0};
PROCESS_INFORMATION pi = {0};
HANDLE hOutputRead = INVALID_HANDLE_VALUE, hOutputWrite = INVALID_HANDLE_VALUE;
HANDLE hDupOutputWrite = INVALID_HANDLE_VALUE;
char output[1024];
static char* output;
si.cb = sizeof(si);
if (log) {
if (!CreatePipe(&hOutputRead, &hOutputWrite, NULL, sizeof(output)-1)) {
// NB: The size of a pipe is a suggestion, NOT an absolute gaurantee
// This means that you may get a pipe of 4K even if you requested 1K
if (!CreatePipe(&hOutputRead, &hOutputWrite, NULL, dwPipeSize)) {
ret = GetLastError();
uprintf("Could not set commandline pipe: %s", WindowsErrorString());
goto out;
@ -568,13 +570,15 @@ DWORD RunCommand(const char* cmd, const char* dir, BOOL log)
if (log) {
while (1) {
// coverity[string_null]
if (PeekNamedPipe(hOutputRead, output, sizeof(output)-1, &dwRead, &dwAvail, &dwMsg)) {
// Don't care about possible multiple reads being needed
if ((dwAvail != 0) && (ReadFile(hOutputRead, output, dwAvail, &dwRead, NULL)) && (dwRead != 0)) {
// This seems to be needed. Won't overflow since we set our max sizes to sizeof(output)-1
output[dwAvail] = 0;
// coverity[tainted_string]
uprintf(output);
if (PeekNamedPipe(hOutputRead, NULL, dwPipeSize, NULL, &dwAvail, NULL)) {
if (dwAvail != 0) {
output = malloc(dwAvail + 1);
if ((output != NULL) && (ReadFile(hOutputRead, output, dwAvail, &dwRead, NULL)) && (dwRead != 0)) {
output[dwAvail] = 0;
// coverity[tainted_string]
uprintf(output);
}
free(output);
}
}
if (WaitForSingleObject(pi.hProcess, 0) == WAIT_OBJECT_0)