Windows: Fix memory access issues when processing language XML files. Avoid writing to locked memory resource which can trigger crash.

author: Mounir IDRASSI <mounir.idrassi@idrix.fr> 2015-07-13 16:18:40 +0200
committer: Mounir IDRASSI <mounir.idrassi@idrix.fr> 2015-07-13 23:35:20 +0200
commit: 103018b367108b2ffce9a4b7f91f3c07cd41c492 (patch)
tree: 254d859d8b9c2d387fbfd532aa0ee18c7d75b531
parent: 52146825de865a2be55bf087f380c3bd0f3182fc (diff)
download: VeraCrypt-103018b367108b2ffce9a4b7f91f3c07cd41c492.tar.gz
VeraCrypt-103018b367108b2ffce9a4b7f91f3c07cd41c492.zip
1 files changed, 53 insertions, 10 deletions
diff --git a/src/Common/Language.c b/src/Common/Language.c
index e5b7a314..049bbb09 100644
--- a/src/Common/Language.c
+++ b/src/Common/Language.c
@@ -31,14 +31,16 @@
 BOOL LocalizationActive;
 int LocalizationSerialNo;
 
 wchar_t UnknownString[1024];
-static char *LanguageFileBuffer;
+static char *LanguageFileBuffer = NULL;
 static HANDLE LanguageFileFindHandle = INVALID_HANDLE_VALUE;
 static char PreferredLangId[6];
-static char *LanguageResource;
-static char *HeaderResource[2];
-static char ActiveLangPackVersion[6];
+static char *LanguageResource = NULL;
+static DWORD LanguageResourceSize = 0;
+static char *HeaderResource[2] = {NULL, NULL};
+static DWORD HeaderResourceSize[2] = {0, 0};
+static char ActiveLangPackVersion[6] = {0};
 
 static char *MapFirstLanguageFile ()
 {
 	if (LanguageFileFindHandle != INVALID_HANDLE_VALUE)
@@ -46,16 +48,33 @@ static char *MapFirstLanguageFile ()
 		FindClose (LanguageFileFindHandle);
 		LanguageFileFindHandle = INVALID_HANDLE_VALUE;
 	}
 
+	if (LanguageFileBuffer != NULL)
+	{
+		free (LanguageFileBuffer);
+		LanguageFileBuffer = NULL;
+	}
+
 	if (LanguageResource == NULL)
 	{
 		DWORD size;
 		LanguageResource = MapResource ("Xml", IDR_LANGUAGE, &size);
-		LanguageResource[size - 1] = 0;
+		if (LanguageResource)
+			LanguageResourceSize = size;
 	}
 
-	return LanguageResource;
+	if (LanguageResource)
+	{
+		LanguageFileBuffer = malloc(LanguageResourceSize + 1);
+		if (LanguageFileBuffer)
+		{
+			memcpy (LanguageFileBuffer, LanguageResource, LanguageResourceSize);
+			LanguageFileBuffer[LanguageResourceSize] = 0;
+		}
+	}
+
+	return LanguageFileBuffer;
 }
 
 
 static char *MapNextLanguageFile ()
@@ -65,8 +84,15 @@ static char *MapNextLanguageFile ()
 	HANDLE file;
 	DWORD read;
 	BOOL bStatus;
 
+	/* free memory here to avoid leaks */
+	if (LanguageFileBuffer != NULL)
+	{
+		free (LanguageFileBuffer);
+		LanguageFileBuffer = NULL;
+	}
+
 	if (LanguageFileFindHandle == INVALID_HANDLE_VALUE)
 	{
 		GetModuleFileNameW (NULL, f, sizeof (f) / sizeof (f[0]));
 		t = wcsrchr (f, L'\\');
@@ -83,19 +109,20 @@ static char *MapNextLanguageFile ()
 		LanguageFileFindHandle = INVALID_HANDLE_VALUE;
 		return NULL;
 	}
 
+	if (LanguageFileFindHandle == INVALID_HANDLE_VALUE) return NULL;
 	if (find.nFileSizeHigh != 0) return NULL;
 
-	if (LanguageFileBuffer != NULL) free (LanguageFileBuffer);
 	LanguageFileBuffer = malloc(find.nFileSizeLow + 1);
 	if (LanguageFileBuffer == NULL) return NULL;
 
 	GetModuleFileNameW (NULL, f, sizeof (f) / sizeof(f[0]));
 	t = wcsrchr (f, L'\\');
 	if (t == NULL)
 	{
 		free(LanguageFileBuffer);
+		LanguageFileBuffer = NULL;
 		return NULL;
 	}
 
 	t[1] = 0;
@@ -104,16 +131,18 @@ static char *MapNextLanguageFile ()
 	file = CreateFileW (f, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
 	if (file == INVALID_HANDLE_VALUE)
 	{
 		free(LanguageFileBuffer);
+		LanguageFileBuffer = NULL;
 		return NULL;
 	}
 
 	bStatus = ReadFile (file, LanguageFileBuffer, find.nFileSizeLow, &read, NULL);
 	CloseHandle (file);
 	if (!bStatus || (read != find.nFileSizeLow))
 	{
 		free(LanguageFileBuffer);
+		LanguageFileBuffer = NULL;
 		return NULL;
 	}
 
 	LanguageFileBuffer [find.nFileSizeLow] = 0; // we have allocated (find.nFileSizeLow + 1) bytes
@@ -125,9 +154,9 @@ static char *MapNextLanguageFile ()
 BOOL LoadLanguageFile ()
 {
 	DWORD size;
 	BYTE *res;
-	char *xml, *header;
+	char *xml, *header, *headerPtr;
 	char langId[6] = "en", attr[32768], key[128];
 	BOOL defaultLangParsed = FALSE, langFound = FALSE;
 	WCHAR wattr[32768];
 	int i, intKey, len;
@@ -310,12 +339,24 @@ BOOL LoadLanguageFile ()
 	{
 		if (HeaderResource[i] == NULL)
 		{
 			HeaderResource[i] = MapResource ("Header", headers[i], &size);
-			*(HeaderResource[i] + size - 1) = 0;
+			if (HeaderResource[i])
+				HeaderResourceSize[i] = size;
 		}
 
-		header = HeaderResource[i];
+		headerPtr = NULL;
+		if (HeaderResource[i])
+		{
+			headerPtr = (char*) malloc (HeaderResourceSize[i] + 1);
+			if (headerPtr)
+			{
+				memcpy (headerPtr, HeaderResource[i], HeaderResourceSize[i]);
+				headerPtr [HeaderResourceSize[i]] = 0;
+			}
+		}
+
+		header = headerPtr;
 		if (header == NULL) return FALSE;
 
 		do
 		{
@@ -327,8 +368,10 @@ BOOL LoadLanguageFile ()
 					AddDictionaryEntry (NULL, intKey, str);
 			}
 
 		} while ((header = strchr (header, '\n') + 1) != (char *) 1);
+
+		free (headerPtr);
 	}
 
 	return TRUE;
 }
author	Mounir IDRASSI <mounir.idrassi@idrix.fr>	2015-07-13 16:18:40 +0200
committer	Mounir IDRASSI <mounir.idrassi@idrix.fr>	2015-07-13 23:35:20 +0200
commit	103018b367108b2ffce9a4b7f91f3c07cd41c492 (patch)
tree	254d859d8b9c2d387fbfd532aa0ee18c7d75b531
parent	52146825de865a2be55bf087f380c3bd0f3182fc (diff)
download	VeraCrypt-103018b367108b2ffce9a4b7f91f3c07cd41c492.tar.gz VeraCrypt-103018b367108b2ffce9a4b7f91f3c07cd41c492.zip