[core] fix crash when trying to open a Windows ISO with a very long path

* The current wimlib code makes repeated attempts to close stdin (0) on cleanup when a WIM cannot
  be opened, which doesn't sit too well with MSFT's _close() as it invokes an invalid parameter
  exception handler that can make the application crash...
* This may happen when we try to open the WIM from an ISO that has been truncated because it
  resides on a path that is longer than MAX_PATH on account that wimlib repeatedly attempts to
  close the phantom stdin fd's it sees assigned to its internal (and unused) WIMStruct after it
  errors out on trying to open the image.
* So we declare stdin as invalid for use with Visual Studio compiled apps.
* For good measure we also increase the size of the string arrays we used for WIM paths to 1024
  UTF-8 characters, and add explicit asserts in case we have to truncate these paths (since we
  are quite curious about real-life scenarios where people need paths longer than 1024).
* Closes pbatard#2777.
* Also improve the safe_strcp() and safe_sprintf() macros and fix some unwarranted "Command was
  terminated by user" messages introduced in commit ea01cd4.

Author: pbatard

src/iso.c

@@ -246,7 +246,7 @@ static BOOL check_iso_props(const char* psz_dirname, int64_t file_length, const
 	const char* psz_fullpath, EXTRACT_PROPS *props)
 {
 	size_t i, j, k, len;
-	char bootloader_name[32], path[MAX_PATH];
+	char bootloader_name[32];
 
 	// Check for an isolinux/syslinux config file anywhere
 	memset(props, 0, sizeof(EXTRACT_PROPS));
@@ -298,15 +298,17 @@ static BOOL check_iso_props(const char* psz_dirname, int64_t file_length, const
 		if (file_length >= 4 * GB && psz_dirname != NULL && IS_FAT(fs_type) && img_report.has_4GB_file == 0x81) {
 			if (safe_stricmp(&psz_dirname[max(0, ((int)safe_strlen(psz_dirname)) -
 				((int)strlen(sources_str)))], sources_str) == 0) {
+				char wim_path[4 * MAX_PATH];
 				for (i = 0; i < ARRAYSIZE(wininst_name) - 1; i++) {
 					if (safe_stricmp(psz_basename, wininst_name[i]) == 0 && file_length >= 4 * GB) {
 						print_split_file((char*)psz_fullpath, file_length);
 						char* dst = safe_strdup(psz_fullpath);
 						dst[strlen(dst) - 3] = 's';
 						dst[strlen(dst) - 2] = 'w';
 						dst[strlen(dst) - 1] = 'm';
-						static_sprintf(path, "%s|%s/%s", image_path, psz_dirname, psz_basename);
-						WimSplitFile(path, dst);
+						assert(safe_strlen(image_path) + safe_strlen(psz_dirname) + safe_strlen(psz_basename) + 2 < ARRAYSIZE(wim_path));
+						static_sprintf(wim_path, "%s|%s/%s", image_path, psz_dirname, psz_basename);
+						WimSplitFile(wim_path, dst);
 						free(dst);
 						return TRUE;
 					}
@@ -1401,8 +1403,10 @@ BOOL ExtractISO(const char* src_iso, const char* dest_dir, BOOL scan)
 			safe_free(buf);
 		}
 		if (HAS_WININST(img_report)) {
-			static_sprintf(path, "%s|%s", image_path, &img_report.wininst_path[0][2]);
-			img_report.wininst_version = GetWimVersion(path);
+			char wim_path[4 * MAX_PATH];
+			assert(safe_strlen(image_path) + safe_strlen(&img_report.wininst_path[0][2]) + 2 < ARRAYSIZE(wim_path));
+			static_sprintf(wim_path, "%s|%s", image_path, &img_report.wininst_path[0][2]);
+			img_report.wininst_version = GetWimVersion(wim_path);
 		}
 		if (img_report.has_grub2) {
 			char grub_path[128];

src/msapi_utf8.h

@@ -56,8 +56,12 @@ extern "C" {
 
 #define wchar_to_utf8_no_alloc(wsrc, dest, dest_size) \
 	WideCharToMultiByte(CP_UTF8, 0, wsrc, -1, dest, (int)(dest_size), NULL, NULL)
+#define wchar_to_utf8_get_size(wsrc) \
+	WideCharToMultiByte(CP_UTF8, 0, wsrc, -1, NULL, 0, NULL, NULL)
 #define utf8_to_wchar_no_alloc(src, wdest, wdest_size) \
 	MultiByteToWideChar(CP_UTF8, 0, src, -1, wdest, (int)(wdest_size))
+#define utf8_to_wchar_get_size(src) \
+	MultiByteToWideChar(CP_UTF8, 0, src, -1, NULL, 0)
 #define Edit_ReplaceSelU(hCtrl, str) ((void)SendMessageLU(hCtrl, EM_REPLACESEL, (WPARAM)FALSE, str))
 #define ComboBox_AddStringU(hCtrl, str) ((int)(DWORD)SendMessageLU(hCtrl, CB_ADDSTRING, (WPARAM)FALSE, str))
 #define ComboBox_InsertStringU(hCtrl, index, str) ((int)(DWORD)SendMessageLU(hCtrl, CB_INSERTSTRING, (WPARAM)index, str))

src/rufus.h

@@ -168,7 +168,7 @@
 #define safe_mm_free(p) do { _mm_free((void*)p); p = NULL; } while(0)
 static __inline void safe_strcp(char* dst, const size_t dst_max, const char* src, const size_t count) {
 	memmove(dst, src, min(count, dst_max));
-	dst[min(count, dst_max) - 1] = 0;
+	if (dst != NULL) dst[min(count, dst_max) - 1] = 0;
 }
 #define safe_strcpy(dst, dst_max, src) safe_strcp(dst, dst_max, src, safe_strlen(src) + 1)
 #define static_strcpy(dst, src) safe_strcpy(dst, sizeof(dst), src)
@@ -188,7 +188,7 @@ static __inline void safe_strcp(char* dst, const size_t dst_max, const char* src
 	HIMAGELIST _hImageList = (HIMAGELIST)SendMessage(hToolbar, TB_GETIMAGELIST, (WPARAM)0, (LPARAM)0); \
 	safe_destroy_imagelist(_hImageList); } } while(0)
 #define safe_sprintf(dst, count, ...) do { size_t _count = count; char* _dst = dst; _snprintf_s(_dst, _count, _TRUNCATE, __VA_ARGS__); \
-	_dst[(_count) - 1] = 0; } while(0)
+	if (_dst != NULL) _dst[(_count) - 1] = 0; } while(0)
 #define static_sprintf(dst, ...) safe_sprintf(dst, sizeof(dst), __VA_ARGS__)
 #define safe_atoi(str) ((((char*)(str))==NULL) ? 0 : atoi(str))
 #define safe_strlen(str) ((((char*)(str))==NULL) ? 0 : strlen(str))

src/rufus.rc

@@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.10.2268"
+CAPTION "Rufus 4.10.2269"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
     LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@@ -407,8 +407,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,10,2268,0
- PRODUCTVERSION 4,10,2268,0
+ FILEVERSION 4,10,2269,0
+ PRODUCTVERSION 4,10,2269,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -426,13 +426,13 @@ BEGIN
             VALUE "Comments", "https://rufus.ie"
             VALUE "CompanyName", "Akeo Consulting"
             VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "4.10.2268"
+            VALUE "FileVersion", "4.10.2269"
             VALUE "InternalName", "Rufus"
             VALUE "LegalCopyright", "� 2011-2025 Pete Batard (GPL v3)"
             VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
             VALUE "OriginalFilename", "rufus-4.10.exe"
             VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "4.10.2268"
+            VALUE "ProductVersion", "4.10.2269"
         END
     END
     BLOCK "VarFileInfo"

src/stdfn.c

@@ -890,13 +890,13 @@ DWORD RunCommandWithProgress(const char* cmd, const char* dir, BOOL log, int msg
 			Sleep(100);
 		};
 	} else {
-		// TODO: Detect user cancellation here?
 		switch (WaitForSingleObject(pi.hProcess, 1800000)) {
 		case WAIT_TIMEOUT:
 			uprintf("Command did not terminate within timeout duration");
 			break;
 		case WAIT_OBJECT_0:
-			uprintf("Command was terminated by user");
+			if (IS_ERROR(ErrorStatus) && (SCODE_CODE(ErrorStatus) == ERROR_CANCELLED))
+				uprintf("Command was terminated by user");
 			break;
 		default:
 			uprintf("Error while waiting for command to be terminated: %s", WindowsErrorString());

src/wimlib/wimlib/file_io.h

@@ -81,7 +81,15 @@ static inline void filedes_invalidate(struct filedes *fd)
 static inline bool
 filedes_valid(const struct filedes *fd)
 {
+#ifdef _MSC_VER
+	// The current wimlib code makes repeated attempts to close stdin (0) when a
+	// WIM cannot be opened, which doesn't sit too well with MSFT's _close() as
+	// it invokes the exception handler and can make the application crash...
+	// So we declare stdin as invalid for use with Visual Studio compiled apps.
+	return (fd->fd != -1 && fd->fd != 0);
+#else
 	return fd->fd != -1;
+#endif
 }
 
 #endif /* _WIMLIB_FILE_IO_H */

src/wue.c

@@ -475,15 +475,17 @@ static void PopulateWindowsVersionFromXml(const wchar_t* xml, size_t xml_len, in
 BOOL PopulateWindowsVersion(void)
 {
 	int r;
-	char wim_path[MAX_PATH] = "";
+	char wim_path[4 * MAX_PATH] = "";
 	wchar_t* xml = NULL;
 	size_t xml_len;
 	WIMStruct* wim = NULL;
 
 	memset(&img_report.win_version, 0, sizeof(img_report.win_version));
 
+	assert(safe_strlen(image_path) + 1 < ARRAYSIZE(wim_path));
 	static_strcpy(wim_path, image_path);
 	if (!img_report.is_windows_img) {
+		assert(safe_strlen(image_path) + safe_strlen(&img_report.wininst_path[0][3]) + 1 < ARRAYSIZE(wim_path));
 		static_strcat(wim_path, "|");
 		static_strcat(wim_path, &img_report.wininst_path[0][3]);
 	}
@@ -545,7 +547,7 @@ int SetWinToGoIndex(void)
 	int i, r;
 	WIMStruct* wim = NULL;
 	char* install_names[MAX_WININST];
-	wchar_t wim_path[MAX_PATH] = L"", *xml = NULL;
+	wchar_t wim_path[4 * MAX_PATH] = L"", *xml = NULL;
 	size_t xml_len;
 	StrArray version_name = { 0 }, version_index = { 0 };
 	BOOL bNonStandard = FALSE;
@@ -568,9 +570,11 @@ int SetWinToGoIndex(void)
 			wininst_index = 0;
 	}
 
+	assert(utf8_to_wchar_get_size(image_path) <= ARRAYSIZE(wim_path));
 	utf8_to_wchar_no_alloc(image_path, wim_path, ARRAYSIZE(wim_path));
 	if (!img_report.is_windows_img) {
 		wcscat(wim_path, L"|");
+		assert(utf8_to_wchar_get_size(image_path) + utf8_to_wchar_get_size(&img_report.wininst_path[wininst_index][2]) <= ARRAYSIZE(wim_path));
 		utf8_to_wchar_no_alloc(&img_report.wininst_path[wininst_index][2],
 			&wim_path[wcslen(wim_path)], (int)ARRAYSIZE(wim_path) - wcslen(wim_path));
 	}
@@ -663,7 +667,7 @@ int SetWinToGoIndex(void)
 /// <returns>TRUE on success, FALSE on error.</returns>
 BOOL SetupWinToGo(DWORD DriveIndex, const char* drive_name, BOOL use_esp)
 {
-	char *ms_efi = NULL, wim_path[MAX_PATH], cmd[MAX_PATH];
+	char *ms_efi = NULL, wim_path[4 * MAX_PATH], cmd[MAX_PATH];
 	ULONG cluster_size;
 
 	uprintf("Windows To Go mode selected");
@@ -673,8 +677,10 @@ BOOL SetupWinToGo(DWORD DriveIndex, const char* drive_name, BOOL use_esp)
 		return FALSE;
 	}
 
+	assert(safe_strlen(image_path) < ARRAYSIZE(wim_path));
 	static_strcpy(wim_path, image_path);
 	if (!img_report.is_windows_img) {
+		assert(safe_strlen(image_path) + safe_strlen(&img_report.wininst_path[wininst_index][3]) + 1 < ARRAYSIZE(wim_path));
 		static_strcat(wim_path, "|");
 		static_strcat(wim_path, &img_report.wininst_path[wininst_index][3]);
 	}