Windows vulnerability fix : finally make bootloader decompressor more robust and secure by adding multiple checks and validation code. This solves the issue found by the Open Crypt Audit project. Note that we had to switch to the slow implementation of the function decode in order to keep the size of the decompressor code under 2K.

src/Boot/Windows/BootCommon.h

@@ -13,7 +13,7 @@
 #include "BootDefs.h"
 
 // The user will be advised to upgrade the rescue disk if upgrading from the following or any previous version
-#define TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION 0x010a
+#define TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION 0x010e
 
 #define TC_BOOT_LOADER_AREA_SIZE (TC_BOOT_LOADER_AREA_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS)
 

src/Boot/Windows/BootSector.asm

@@ -134,6 +134,8 @@ checksum_ok:
 	push dx
 	
 	; Decompress boot loader
+	mov cx, word ptr [start + TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET]
+	push cx																		; Compressed data size
 	push TC_BOOT_LOADER_COMPRESSED_BUFFER_OFFSET + TC_GZIP_HEADER_SIZE			; Compressed data
 	push TC_MAX_BOOT_LOADER_DECOMPRESSED_SIZE									; Output buffer size
 	push TC_BOOT_LOADER_DECOMPRESSOR_MEMORY_SIZE + TC_COM_EXECUTABLE_OFFSET		; Output buffer
@@ -145,7 +147,7 @@ checksum_ok:
 	retf
 decompressor_ret:
 
-	add sp, 6
+	add sp, 8
 	pop dx
 	
 	; Restore boot sector segment

src/Boot/Windows/Decompressor.c

@@ -47,6 +47,7 @@ struct state {
 
     /* input state */
     unsigned char *in;          /* input buffer */
+    unsigned int inlen;			 /* available input at in */
     unsigned int incnt;        /* bytes read so far */
     int bitbuf;                 /* bit buffer */
     int bitcnt;                 /* number of bits in bit buffer */
@@ -81,6 +82,9 @@ local int stored(struct state *s)
     s->bitbuf = 0;
     s->bitcnt = 0;
 
+    if (s->incnt + 4 > s->inlen)
+        return 2;                               /* not enough input */
+
     /* get length and check against its one's complement */
     len = s->in[s->incnt++];
     len |= s->in[s->incnt++] << 8;
@@ -88,6 +92,9 @@ local int stored(struct state *s)
         s->in[s->incnt++] != ((~len >> 8) & 0xff))
         return -2;                              /* didn't match complement! */
 
+    if (s->incnt + len > s->inlen)
+        return 2;                               /* not enough input */
+
     /* copy len bytes from in to out */
     if (s->out != NIL) {
         if (s->outcnt + len > s->outlen)
@@ -110,6 +117,8 @@ struct huffman {
     short *symbol;      /* canonically ordered symbols */
 };
 
+/* reduce code size by using slow version of the decompressor */
+#define SLOW
 
 #ifdef SLOW
 local int decode(struct state *s, struct huffman *h)
@@ -363,26 +372,38 @@ local int dynamic(struct state *s)
         int len;                /* last length to repeat */
 
         symbol = decode(s, &lencode);
+        if (symbol < 0)
+            return symbol;          /* invalid symbol */
         if (symbol < 16)                /* length in 0..15 */
             lengths[index++] = symbol;
         else {                          /* repeat instruction */
             len = 0;                    /* assume repeating zeros */
-            if (symbol == 16) {         /* repeat last length 3..6 times */
+            switch(symbol)
+            {
+               case 16: {         /* repeat last length 3..6 times */
                   if (index == 0) return -5;      /* no last length! */
                   len = lengths[index - 1];       /* last length */
                   symbol = 3 + bits(s, 2);
+                  break;
                }
-            else if (symbol == 17)      /* repeat zero 3..10 times */
+               case  17:      /* repeat zero 3..10 times */
                   symbol = 3 + bits(s, 3);
-            else                        /* == 18, repeat zero 11..138 times */
+                  break;
+               default:                  /* == 18, repeat zero 11..138 times */
                    symbol = 11 + bits(s, 7);
-            if (index + symbol > nlen + ndist)
+                   break;
+             }
+            if ((index + symbol > nlen + ndist))
                 return -6;              /* too many lengths! */
             while (symbol--)            /* repeat last or zero symbol times */
                 lengths[index++] = len;
         }
     }
 
+    /* check for end-of-block code -- there better be one! */
+    if (lengths[256] == 0)
+        return -9;
+
     /* build huffman table for literal/length codes */
     err = construct(&lencode, lengths, nlen);
     if (err < 0 || (err > 0 && nlen - lencode.count[0] != 1))
@@ -404,7 +425,8 @@ void _acrtused () { }
 int far main (
          unsigned char *dest,         /* pointer to destination pointer */
          unsigned int destlen,        /* amount of output space */
-         unsigned char *source)       /* pointer to source data pointer */
+         unsigned char *source,       /* pointer to source data pointer */
+         unsigned int sourcelen)
 {
     struct state s;             /* input/output state */
     int last, type;             /* block information */
@@ -417,6 +439,7 @@ int far main (
 
     /* initialize input state */
     s.in = source;
+    s.inlen = sourcelen;
     s.incnt = 0;
     s.bitbuf = 0;
     s.bitcnt = 0;
@@ -425,10 +448,22 @@ int far main (
 	do {
 		last = bits(&s, 1);         /* one if last block */
 		type = bits(&s, 2);         /* block type 0..3 */
-		err = type == 0 ? stored(&s) :
-			(type == 1 ? fixed(&s) :
-			(type == 2 ? dynamic(&s) :
-			-1));               /* type == 3, invalid */
+		switch(type)
+		{
+		case 0:
+			err = stored(&s);
+			break;
+		case 1:
+			err = fixed(&s);
+			break;
+		case 2:
+			err = dynamic(&s);
+			break;
+		default:
+			err = -1; /* type == 3, invalid */
+			break;
+		}
+
 		if (err != 0) break;        /* return with error */
 	} while (!last);