From 7dc8394752f43fbd397b4f42377f32a1e8d7dadd Mon Sep 17 00:00:00 2001 From: olszomal Date: Mon, 31 Mar 2025 10:09:19 +0200 Subject: [PATCH 1/4] Fix memory management for ministream and difat in MSI output, CID 1639166 --- msi.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/msi.c b/msi.c index 45a5197..68265e3 100644 --- a/msi.c +++ b/msi.c @@ -1785,7 +1785,6 @@ static int ministream_save(MSI_DIRENT *dirent, BIO *outdata, MSI_OUT *out) dirent->entry->startSectorLocation = out->sectorNum; /* ministream save */ BIO_write(outdata, out->ministream, (int)out->miniStreamLen); - OPENSSL_free(out->ministream); /* fill to the end with known data, such as all zeroes */ if (out->miniStreamLen % out->sectorSize > 0) { remain = out->sectorSize - out->miniStreamLen % out->sectorSize; @@ -2186,6 +2185,8 @@ static int msiout_set(MSI_FILE *msi, uint32_t len_msi, uint32_t len_msiex, MSI_O out->header = header_new(msi->m_hdr, out); out->minifatMemallocCount = msi->m_hdr->numMiniFATSector; out->fatMemallocCount = msi->m_hdr->numFATSector; + out->difatMemallocCount = 0; + out->difat = NULL; out->ministream = NULL; out->minifat = OPENSSL_malloc((uint64_t)out->minifatMemallocCount * out->sectorSize); out->fat = OPENSSL_malloc((uint64_t)out->fatMemallocCount * out->sectorSize); @@ -2226,7 +2227,9 @@ static int msi_file_write(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p_msi, uint out: OPENSSL_free(out.header); OPENSSL_free(out.fat); + OPENSSL_free(out.difat); OPENSSL_free(out.minifat); + OPENSSL_free(out.ministream); return ret; } From 4f2c93c644ae28c602fc5d6fb6b91d43b2a88629 Mon Sep 17 00:00:00 2001 From: olszomal Date: Mon, 31 Mar 2025 10:33:41 +0200 Subject: [PATCH 2/4] Simplify error handling in PKCS#7 certificate loading, CID 1639170 --- osslsigncode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/osslsigncode.c b/osslsigncode.c index 3ad4bd9..ed96124 100644 --- a/osslsigncode.c +++ b/osslsigncode.c @@ -4269,7 +4269,7 @@ static int read_crypto_params(GLOBAL_OPTIONS *options) /* OpenSSL store API does not support PKCS#7 format */ if (sk_X509_num(options->certs) == 0 && !read_pkcs7_certfile(options)) { - goto out; + return 0; /* FAILED */ } out: return (options->pkey && sk_X509_num(options->certs) > 0) ? 1 : 0; From 2637601b28bd986530613a64d3272a25d7bb9db7 Mon Sep 17 00:00:00 2001 From: olszomal Date: Mon, 31 Mar 2025 11:02:37 +0200 Subject: [PATCH 3/4] Fixed directly dereferencing parameter p7, CID 1576008 --- osslsigncode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/osslsigncode.c b/osslsigncode.c index ed96124..eecb5cc 100644 --- a/osslsigncode.c +++ b/osslsigncode.c @@ -1357,7 +1357,7 @@ static int add_unauthenticated_blob(PKCS7 *p7, const char *blob_file) fprintf(stderr, "Failed to obtain PKCS#7 signer info list\n"); return 0; /* FAILED */ } - si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); + si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0); if (!si) { fprintf(stderr, "Failed to obtain signer info from PKCS#7 structure\n"); return 0; /* FAILED */ From 99c509ff01c9273d46d119bfd6b8797ea3c44677 Mon Sep 17 00:00:00 2001 From: olszomal Date: Mon, 31 Mar 2025 11:36:58 +0200 Subject: [PATCH 4/4] Fixed resource leaks, CID 1639164, 1639165, 1639167, 1639168, 1639169 --- appx.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/appx.c b/appx.c index eb0102a..5d6fd52 100644 --- a/appx.c +++ b/appx.c @@ -1488,6 +1488,7 @@ static int zipAppendSignatureFile(BIO *bio, ZIP_FILE *zip, uint8_t *data, uint64 if (!get_current_position(bio, &offset)) { fprintf(stderr, "Unable to get offset\n"); + OPENSSL_free(header.fileName); OPENSSL_free(dataToWrite); return 0; /* FAILED */ } @@ -1497,6 +1498,7 @@ static int zipAppendSignatureFile(BIO *bio, ZIP_FILE *zip, uint8_t *data, uint64 size_t check; if (!BIO_write_ex(bio, dataToWrite + written, toWrite, &check) || check != toWrite) { + OPENSSL_free(header.fileName); OPENSSL_free(dataToWrite); return 0; /* FAILED */ } @@ -1591,6 +1593,7 @@ static int zipRewriteData(ZIP_FILE *zip, ZIP_CENTRAL_DIRECTORY_ENTRY *entry, BIO { size_t check; ZIP_LOCAL_HEADER header; + int ret = 0; memset(&header, 0, sizeof(header)); if (entry->offsetOfLocalHeader >= (uint64_t)zip->fileSize) { @@ -1601,7 +1604,7 @@ static int zipRewriteData(ZIP_FILE *zip, ZIP_CENTRAL_DIRECTORY_ENTRY *entry, BIO return 0; /* FAILED */ } if (!zipReadLocalHeader(&header, zip, entry->compressedSize)) { - return 0; /* FAILED */ + goto out; } if (entry->overrideData) { header.compressedSize = entry->overrideData->compressedSize; @@ -1612,14 +1615,14 @@ static int zipRewriteData(ZIP_FILE *zip, ZIP_CENTRAL_DIRECTORY_ENTRY *entry, BIO if (entry->overrideData) { if (!BIO_write_ex(bio, entry->overrideData->data, entry->overrideData->compressedSize, &check) || check != entry->overrideData->compressedSize) { - return 0; /* FAILED */ + goto out; } if (entry->compressedSize > (uint64_t)zip->fileSize - entry->offsetOfLocalHeader) { fprintf(stderr, "Corrupted compressedSize : 0x%08" PRIX64 "\n", entry->compressedSize); - return 0; /* FAILED */ + goto out; } if (fseeko(zip->file, (int64_t)entry->compressedSize, SEEK_CUR) < 0) { - return 0; /* FAILED */ + goto out; } *sizeOnDisk += entry->overrideData->compressedSize; } else { @@ -1630,12 +1633,12 @@ static int zipRewriteData(ZIP_FILE *zip, ZIP_CENTRAL_DIRECTORY_ENTRY *entry, BIO size_t size = fread(data, 1, toWrite, zip->file); if (size != toWrite) { OPENSSL_free(data); - return 0; /* FAILED */ + goto out; } if (!BIO_write_ex(bio, data, toWrite, &check) || check != toWrite) { OPENSSL_free(data); - return 0; /* FAILED */ + goto out; } *sizeOnDisk += toWrite; len -= toWrite; @@ -1654,19 +1657,21 @@ static int zipRewriteData(ZIP_FILE *zip, ZIP_CENTRAL_DIRECTORY_ENTRY *entry, BIO } if (zip->isZip64) { if (fseeko(zip->file, 24, SEEK_CUR) < 0) { - return 0; /* FAILED */ + goto out; } *sizeOnDisk += 24; } else { if (fseeko(zip->file, 16, SEEK_CUR) < 0) { - return 0; /* FAILED */ + goto out; } *sizeOnDisk += 16; } } + ret = 1; /* OK */ +out: OPENSSL_free(header.fileName); OPENSSL_free(header.extraField); - return 1; /* OK */ + return ret; } /* @@ -1835,6 +1840,8 @@ static size_t zipReadFileData(ZIP_FILE *zip, uint8_t **pData, ZIP_CENTRAL_DIRECT uncompressedSize = entry->uncompressedSize; memset(&header, 0, sizeof(header)); if (!zipReadLocalHeader(&header, zip, compressedSize)) { + OPENSSL_free(header.fileName); + OPENSSL_free(header.extraField); return 0; /* FAILED */ } if (header.fileNameLen != entry->fileNameLen @@ -1843,6 +1850,8 @@ static size_t zipReadFileData(ZIP_FILE *zip, uint8_t **pData, ZIP_CENTRAL_DIRECT || header.uncompressedSize != uncompressedSize || header.compression != entry->compression) { fprintf(stderr, "Local header does not match central directory entry\n"); + OPENSSL_free(header.fileName); + OPENSSL_free(header.extraField); return 0; /* FAILED */ } /* we don't really need those */ @@ -2144,6 +2153,7 @@ static int zipDeflate(uint8_t *dest, uint64_t *destLen, uint8_t *source, uLong s err = deflateInit2(&stream, 8, Z_DEFLATED, -MAX_WBITS, 8, Z_DEFAULT_STRATEGY); if (err != Z_OK) { + deflateEnd(&stream); return err; } stream.next_out = dest;