[iso] fix a buffer overflow in iso9660/iso9660_fs.c

* Whereas the length of the buffer allocated for the UTF-8 filename string is the same length as the UCS-2 (which means it can store twice as many UTF-8 bytes as there are characters in the filename), it is still possible for the converted UTF-8 string to overflow this buffer if the name contains glyphs that use 3 or 4-byte sequences. * As a result, use strncpy with the actual size of the UTF-8 filename buffer (the following bytes are calloc'd to zero so the truncated string will be NUL terminated) and produce a warning if the filename is truncated. * Vulnerability discovered and reported by Mansour Gashasbi (@gashasbi).
pbatard · Apr 8, 2024 · 8a8e418 · 8a8e418
1 parent 4eda8d9
commit 8a8e418
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/src/libcdio/iso9660/iso9660_fs.c b/src/libcdio/iso9660/iso9660_fs.c
@@ -865,8 +865,11 @@ _iso9660_recname_to_cstring(const char *src, size_t src_len,
     cdio_utf8_t *p_psz_out = NULL;
 
     if (cdio_charset_to_utf8(src, i_inlen, &p_psz_out, "UCS-2BE")) {
-      if (cpy_result != NULL)
-        strcpy(cpy_result, p_psz_out);
+      if (cpy_result != NULL) {
+        strncpy(cpy_result, p_psz_out, i_inlen);
+	if (strlen(p_psz_out) > i_inlen)
+	  cdio_warn("file name '%s' will be truncated", p_psz_out);
+      }
       if (alloc_result != NULL)
         *alloc_result = p_psz_out;
       else

diff --git a/src/rufus.rc b/src/rufus.rc
@@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.5.2125"
+CAPTION "Rufus 4.5.2126"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
     LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@@ -397,8 +397,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,5,2125,0
- PRODUCTVERSION 4,5,2125,0
+ FILEVERSION 4,5,2126,0
+ PRODUCTVERSION 4,5,2126,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -416,13 +416,13 @@ BEGIN
             VALUE "Comments", "https://rufus.ie"
             VALUE "CompanyName", "Akeo Consulting"
             VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "4.5.2125"
+            VALUE "FileVersion", "4.5.2126"
             VALUE "InternalName", "Rufus"
             VALUE "LegalCopyright", "� 2011-2024 Pete Batard (GPL v3)"
             VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
             VALUE "OriginalFilename", "rufus-4.5.exe"
             VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "4.5.2125"
+            VALUE "ProductVersion", "4.5.2126"
         END
     END
     BLOCK "VarFileInfo"