Windows vulnerability fix: correct possible BSOD attack targeted towards GetWipePassCount() / WipeBuffer() found by the Open Crypto Audit Project.

src/Common/BootEncryption.cpp

@@ -2064,7 +2064,7 @@ namespace VeraCrypt
 	{
 		BootEncryptionStatus encStatus = GetStatus();
 
-		if (encStatus.SetupInProgress)
+		if (encStatus.SetupInProgress || (wipePassCount <= 0))
 			throw ParameterIncorrect (SRC_POS);
 
 		SystemDriveConfiguration config = GetSystemDriveConfiguration ();

src/Common/Password.c

@@ -143,6 +143,13 @@ int ChangePwd (const char *lpszVolume, Password *oldPassword, Password *newPassw
 
 	if (oldPassword->Length == 0 || newPassword->Length == 0) return -1;
 
+	if (wipePassCount <= 0)
+	{
+      nStatus = ERR_PARAMETER_INCORRECT;
+      handleError (hwndDlg, nStatus);
+      return nStatus;
+	}
+
    if (!lpszVolume)
    {
       nStatus = ERR_OUTOFMEMORY;

src/Common/Wipe.c

@@ -157,12 +157,9 @@ int GetWipePassCount (WipeAlgorithmId algorithm)
 
 	case TC_WIPE_256:
 		return 256;
-
-	default:
-		TC_THROW_FATAL_EXCEPTION;
 	}
 
-	return 0;	// Prevent compiler warnings
+	return -1;	// Prevent compiler warnings
 }
 
 
@@ -183,8 +180,14 @@ BOOL WipeBuffer (WipeAlgorithmId algorithm, byte randChars[TC_WIPE_RAND_CHAR_COU
 	case TC_WIPE_35_GUTMANN:
 		return Wipe35Gutmann (pass, buffer, size);
 
+	/* we will never reach here because all calls to WipeBuffer are preceeded
+	 * by a call to GetWipePassCount that already checks the same algorithm
+	 * parameters and in case of unsupported value an error is returned before
+	 * calling WipeBuffer
+	 */
+   /*
 	default:
-		TC_THROW_FATAL_EXCEPTION;
+		TC_THROW_FATAL_EXCEPTION;*/
 	}
 
 	return FALSE;	// Prevent compiler warnings