[misc] fix Coverity warnings

* Also use a new if_not_assert() construct where possible.

src/badblocks.c

@@ -426,6 +426,11 @@ static unsigned int test_rw(HANDLE hDrive, blk64_t last_block, size_t block_size
 		cancel_ops = -1;
 		return 0;
 	}
+	if ((first_block * block_size > 1 * PB) || (last_block * block_size > 1 * PB)) {
+		uprintf("%sDisk is too large\n", bb_prefix);
+		cancel_ops = -1;
+		return 0;
+	}
 
 	buffer = allocate_buffer(2 * blocks_at_once * block_size);
 	if (!buffer) {
@@ -543,8 +548,12 @@ static unsigned int test_rw(HANDLE hDrive, blk64_t last_block, size_t block_size
 			for (i=0; i < got; i++) {
 				if (memcmp(read_buffer + i * block_size,
 					   buffer + i * block_size,
-					   block_size))
+					   block_size)) {
+					if_not_assert(currently_testing * block_size < 1 * PB) 
+						goto out;
+					// coverity[overflow_const]
 					bb_count += bb_output(currently_testing+i-got, CORRUPTION_ERROR);
+				}
 			}
 			if (v_flag > 1)
 				print_status();

src/bled/crc32.c

@@ -38,6 +38,7 @@ static void crc32init_le(uint32_t *crc32table_le)
 	crc32table_le[0] = 0;
 
 	for (i = 1 << (CRC_LE_BITS - 1); i; i >>= 1) {
+		// coverity[overflow_const]
 		crc = (crc >> 1) ^ ((crc & 1) ? CRCPOLY_LE : 0);
 		for (j = 0; j < 1 << CRC_LE_BITS; j += 2 * i)
 			crc32table_le[i + j] = crc ^ crc32table_le[j];
@@ -81,6 +82,7 @@ static void crc32init_be(uint32_t *crc32table_be)
 	uint32_t crc = 0x80000000;
 
 	for (i = 1; i < 1 << CRC_BE_BITS; i <<= 1) {
+		// coverity[overflow_const]
 		crc = (crc << 1) ^ ((crc & 0x80000000) ? CRCPOLY_BE : 0);
 		for (j = 0; j < i; j++)
 			crc32table_be[i + j] = crc ^ crc32table_be[j];

src/bled/decompress_gunzip.c

@@ -280,6 +280,7 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current
 		bytebuffer_offset++;
 		*current += 8;
 	}
+	// coverity[return_overflow]
 	return bitbuffer;
 }
 
@@ -661,7 +662,7 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY)
 
 
 /* called once from inflate_block */
-static void inflate_stored_setup(STATE_PARAM int my_n, int my_b, int my_k)
+static void inflate_stored_setup(STATE_PARAM unsigned my_n, unsigned my_b, unsigned my_k)
 {
 	inflate_stored_n = my_n;
 	inflate_stored_b = my_b;
@@ -1043,7 +1044,15 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate)
 			n = (nwrote <0)?nwrote:-1;
 			goto ret;
 		}
-		IF_DESKTOP(n += nwrote;)
+#if ENABLE_DESKTOP
+		long long int v = n + nwrote;
+		if (v < n) {
+			bb_simple_error_msg("overflow");
+			n = -1;
+			goto ret;
+		}
+		n = v;
+#endif
 		if (r == 0) break;
 	}
 
@@ -1054,6 +1063,7 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate)
 		bytebuffer_offset--;
 		bytebuffer[bytebuffer_offset] = gunzip_bb & 0xff;
 		gunzip_bb >>= 8;
+		// coverity[overflow_const]
 		gunzip_bk -= 8;
 	}
  ret:

src/bled/libbb.h

@@ -23,6 +23,7 @@
 #include "platform.h"
 #include "msapi_utf8.h"
 
+#include <assert.h>
 #include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>

src/bled/xz_config.h

@@ -18,6 +18,7 @@
 /* #define XZ_DEC_ARMTHUMB */
 /* #define XZ_DEC_SPARC */
 
+#include <assert.h>
 #include <stdbool.h>
 #include <stdlib.h>
 #include <string.h>

src/bled/xz_dec_bcj.c

@@ -109,6 +109,7 @@ static noinline_for_stack size_t XZ_FUNC bcj_x86(
 		if ((buf[i] & 0xFE) != 0xE8)
 			continue;
 
+		// coverity[overflow_const]
 		prev_pos = i - prev_pos;
 		if (prev_pos > 3) {
 			prev_mask = 0;

src/bled/xz_dec_lzma2.c

@@ -622,7 +622,7 @@ static void XZ_FUNC lzma_len(struct xz_dec_lzma2 *s, struct lzma_len_dec *l,
 		uint32_t pos_state)
 {
 	uint16_t *probs;
-	uint32_t limit;
+	uint32_t limit, v;
 
 	if (!rc_bit(&s->rc, &l->choice)) {
 		probs = l->low[pos_state];
@@ -641,7 +641,9 @@ static void XZ_FUNC lzma_len(struct xz_dec_lzma2 *s, struct lzma_len_dec *l,
 		}
 	}
 
-	s->lzma.len += rc_bittree(&s->rc, probs, limit) - limit;
+	v = s->lzma.len + rc_bittree(&s->rc, probs, limit) - limit;
+	assert(v >= s->lzma.len);
+	s->lzma.len = (v < s->lzma.len) ? 0 : v;
 }
 
 /* Decode a match. The distance will be stored in s->lzma.rep0. */
@@ -660,6 +662,7 @@ static void XZ_FUNC lzma_match(struct xz_dec_lzma2 *s, uint32_t pos_state)
 	lzma_len(s, &s->lzma.match_len_dec, pos_state);
 
 	probs = s->lzma.dist_slot[lzma_get_dist_state(s->lzma.len)];
+	// coverity[overflow_const]
 	dist_slot = rc_bittree(&s->rc, probs, DIST_SLOTS) - DIST_SLOTS;
 
 	if (dist_slot < DIST_MODEL_START) {

src/dev.c

@@ -137,7 +137,8 @@ BOOL CyclePort(int index)
 	DWORD size;
 	USB_CYCLE_PORT_PARAMS cycle_port;
 
-	assert(index < MAX_DRIVES);
+	if_not_assert(index < MAX_DRIVES)
+		return -1;
 	// Wait at least 10 secs between resets
 	if (GetTickCount64() < LastReset + 10000ULL) {
 		uprintf("You must wait at least 10 seconds before trying to reset a device");
@@ -190,7 +191,8 @@ int CycleDevice(int index)
 	SP_DEVINFO_DATA dev_info_data;
 	SP_PROPCHANGE_PARAMS propchange_params;
 
-	assert(index < MAX_DRIVES);
+	if_not_assert(index < MAX_DRIVES)
+		return ERROR_INVALID_DRIVE;
 	if ((index < 0) || (safe_strlen(rufus_drive[index].id) < 8))
 		return ERROR_INVALID_PARAMETER;
 
@@ -583,8 +585,10 @@ BOOL GetDevices(DWORD devnum)
 
 	// Better safe than sorry. And yeah, we could have used arrays of
 	// arrays to avoid this, but it's more readable this way.
-	assert((uasp_start > 0) && (uasp_start < ARRAYSIZE(usbstor_name)));
-	assert((card_start > 0) && (card_start < ARRAYSIZE(genstor_name)));
+	if_not_assert((uasp_start > 0) && (uasp_start < ARRAYSIZE(usbstor_name)))
+		goto out;
+	if_not_assert((card_start > 0) && (card_start < ARRAYSIZE(genstor_name)))
+		goto out;
 
 	devid_list = NULL;
 	if (full_list_size != 0) {
@@ -671,7 +675,8 @@ BOOL GetDevices(DWORD devnum)
 				}
 				// Also test for "_SD&" instead of "_SD_" and so on to allow for devices like
 				// "SCSI\DiskRicoh_Storage_SD&REV_3.0" to be detected.
-				assert(strlen(scsi_card_name_copy) > 1);
+				if_not_assert(strlen(scsi_card_name_copy) > 1)
+					continue;
 				scsi_card_name_copy[strlen(scsi_card_name_copy) - 1] = '&';
 				if (safe_strstr(buffer, scsi_card_name_copy) != NULL) {
 					props.is_CARD = TRUE;
@@ -999,7 +1004,8 @@ BOOL GetDevices(DWORD devnum)
 				rufus_drive[num_drives].display_name = safe_strdup(display_name);
 				rufus_drive[num_drives].label = safe_strdup(label);
 				rufus_drive[num_drives].size = drive_size;
-				assert(rufus_drive[num_drives].size != 0);
+				if_not_assert(rufus_drive[num_drives].size != 0)
+					break;
 				if (hub_path != NULL) {
 					rufus_drive[num_drives].hub = safe_strdup(hub_path);
 					rufus_drive[num_drives].port = props.port;

src/drive.c

@@ -280,9 +280,12 @@ char* GetLogicalName(DWORD DriveIndex, uint64_t PartitionOffset, BOOL bKeepTrail
 
 		// Sanity checks
 		len = safe_strlen(volume_name);
-		assert(len > 4);
-		assert(safe_strnicmp(volume_name, volume_start, 4) == 0);
-		assert(volume_name[len - 1] == '\\');
+		if_not_assert(len > 4)
+			continue;
+		if_not_assert(safe_strnicmp(volume_name, volume_start, 4) == 0)
+			continue;
+		if_not_assert(volume_name[len - 1] == '\\')
+			continue;
 
 		drive_type = GetDriveTypeA(volume_name);
 		if ((drive_type != DRIVE_REMOVABLE) && (drive_type != DRIVE_FIXED))
@@ -1817,7 +1820,8 @@ const char* GetFsName(HANDLE hPhysical, LARGE_INTEGER StartingOffset)
 			}
 		}
 		assert(rev < ARRAYSIZE(ext_names));
-		ret = ext_names[rev];
+		if (rev < ARRAYSIZE(ext_names))
+			ret = ext_names[rev];
 		goto out;
 	}
 

src/ext2fs/dirhash.c

@@ -45,6 +45,7 @@ static void TEA_transform(__u32 buf[4], __u32 const in[])
 	int	n = 16;
 
 	do {
+		// coverity[overflow_const]
 		sum += DELTA;
 		b0 += ((b1 << 4)+a) ^ (b1+sum) ^ ((b1 >> 5)+b);
 		b1 += ((b0 << 4)+c) ^ (b0+sum) ^ ((b0 >> 5)+d);

src/ext2fs/initialize.c

@@ -11,6 +11,7 @@
  */
 
 #include "config.h"
+#include <assert.h>
 #include <stdio.h>
 #include <string.h>
 #if HAVE_UNISTD_H
@@ -374,7 +375,9 @@ ipg_retry:
 	 * adjust inode count to reflect the adjusted inodes_per_group
 	 */
 	if ((__u64)super->s_inodes_per_group * fs->group_desc_count > ~0U) {
-		ipg--;
+		assert(ipg != 0);
+		if (ipg != 0)
+			ipg--;
 		goto ipg_retry;
 	}
 	super->s_inodes_count = super->s_inodes_per_group *

src/format.c

@@ -117,8 +117,7 @@ static BOOLEAN __stdcall FormatExCallback(FILE_SYSTEM_CALLBACK_COMMAND Command,
 	if (IS_ERROR(ErrorStatus))
 		return FALSE;
 
-	assert((actual_fs_type >= 0) && (actual_fs_type < FS_MAX));
-	if ((actual_fs_type < 0) || (actual_fs_type >= FS_MAX))
+	if_not_assert((actual_fs_type >= 0) && (actual_fs_type < FS_MAX))
 		return FALSE;
 
 	switch(Command) {
@@ -1108,6 +1107,10 @@ static int sector_write(int fd, const void* _buf, unsigned int count)
 
 	if (sec_size == 0)
 		sec_size = 512;
+	if_not_assert(sec_size <= 64 * KB)
+		return -1;
+	if_not_assert(count <= 1 * GB)
+		return -1;
 
 	// If we are on a sector boundary and count is multiple of the
 	// sector size, just issue a regular write
@@ -1116,6 +1119,8 @@ static int sector_write(int fd, const void* _buf, unsigned int count)
 
 	// If we have an existing partial sector, fill and write it
 	if (sec_buf_pos > 0) {
+		if_not_assert(sec_size >= sec_buf_pos)
+			return -1;
 		fill_size = min(sec_size - sec_buf_pos, count);
 		memcpy(&sec_buf[sec_buf_pos], buf, fill_size);
 		sec_buf_pos += fill_size;
@@ -1133,10 +1138,18 @@ static int sector_write(int fd, const void* _buf, unsigned int count)
 	written = _write(fd, &buf[fill_size], sec_num * sec_size);
 	if (written < 0)
 		return written;
-	else if (written != sec_num * sec_size)
-		return fill_size + written;
+	if (written != sec_num * sec_size) {
+		// Detect overflows
+		// coverity[overflow]
+		int v = fill_size + written;
+		if_not_assert(v >= fill_size)
+			return -1;
+		else
+			return v;
+	}
 	sec_buf_pos = count - fill_size - written;
-	assert(sec_buf_pos < sec_size);
+	if_not_assert(sec_buf_pos < sec_size)
+		return -1;
 
 	// Keep leftover bytes, if any, in the sector buffer
 	if (sec_buf_pos != 0)
@@ -1180,7 +1193,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 			uprintf("Could not allocate disk zeroing buffer");
 			goto out;
 		}
-		assert((uintptr_t)buffer % SelectedDrive.SectorSize == 0);
+		if_not_assert((uintptr_t)buffer % SelectedDrive.SectorSize == 0)
+			goto out;
 
 		// Clear buffer
 		memset(buffer, fast_zeroing ? 0xff : 0x00, buf_size);
@@ -1192,7 +1206,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 				uprintf("Could not allocate disk comparison buffer");
 				goto out;
 			}
-			assert((uintptr_t)cmp_buffer % SelectedDrive.SectorSize == 0);
+			if_not_assert((uintptr_t)cmp_buffer % SelectedDrive.SectorSize == 0)
+				goto out;
 		}
 
 		read_size[0] = buf_size;
@@ -1290,7 +1305,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 			uprintf("Could not allocate disk write buffer");
 			goto out;
 		}
-		assert((uintptr_t)sec_buf % SelectedDrive.SectorSize == 0);
+		if_not_assert((uintptr_t)sec_buf% SelectedDrive.SectorSize == 0)
+			goto out;
 		sec_buf_pos = 0;
 		bled_init(256 * KB, uprintf, NULL, sector_write, update_progress, NULL, &ErrorStatus);
 		bled_ret = bled_uncompress_with_handles(hSourceImage, hPhysicalDrive, img_report.compression_type);
@@ -1312,7 +1328,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 			goto out;
 		}
 	} else {
-		assert(img_report.compression_type != IMG_COMPRESSION_FFU);
+		if_not_assert(img_report.compression_type != IMG_COMPRESSION_FFU)
+			goto out;
 		// VHD/VHDX require mounting the image first
 		if (img_report.compression_type == IMG_COMPRESSION_VHD ||
 			img_report.compression_type == IMG_COMPRESSION_VHDX) {
@@ -1338,7 +1355,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 			uprintf("Could not allocate disk write buffer");
 			goto out;
 		}
-		assert((uintptr_t)buffer % SelectedDrive.SectorSize == 0);
+		if_not_assert((uintptr_t)buffer% SelectedDrive.SectorSize == 0)
+			goto out;
 
 		// Start the initial read
 		ReadFileAsync(hSourceImage, &buffer[read_bufnum * buf_size], (DWORD)MIN(buf_size, target_size));
@@ -1365,7 +1383,8 @@ static BOOL WriteDrive(HANDLE hPhysicalDrive, BOOL bZeroDrive)
 
 			// 2. WriteFile fails unless the size is a multiple of sector size
 			if (read_size[read_bufnum] % SelectedDrive.SectorSize != 0) {
-				assert(HI_ALIGN_X_TO_Y(read_size[read_bufnum], SelectedDrive.SectorSize) <= buf_size);
+				if_not_assert(HI_ALIGN_X_TO_Y(read_size[read_bufnum], SelectedDrive.SectorSize) <= buf_size)
+					goto out;
 				read_size[read_bufnum] = HI_ALIGN_X_TO_Y(read_size[read_bufnum], SelectedDrive.SectorSize);
 			}
 
@@ -1660,7 +1679,8 @@ DWORD WINAPI FormatThread(void* param)
 		if (img_report.compression_type == IMG_COMPRESSION_FFU) {
 			char cmd[MAX_PATH + 128], *physical = NULL;
 			// Should have been filtered out beforehand
-			assert(has_ffu_support);
+			if_not_assert(has_ffu_support)
+				goto out;
 			safe_unlockclose(hPhysicalDrive);
 			physical = GetPhysicalName(SelectedDrive.DeviceNumber);
 			static_sprintf(cmd, "dism /Apply-Ffu /ApplyDrive:%s /ImageFile:\"%s\"", physical, image_path);
@@ -1848,8 +1868,7 @@ DWORD WINAPI FormatThread(void* param)
 			// All good
 		} else if (target_type == TT_UEFI) {
 			// For once, no need to do anything - just check our sanity
-			assert((boot_type == BT_IMAGE) && IS_EFI_BOOTABLE(img_report) && (fs_type <= FS_NTFS));
-			if ( (boot_type != BT_IMAGE) || !IS_EFI_BOOTABLE(img_report) || (fs_type > FS_NTFS) ) {
+			if_not_assert((boot_type == BT_IMAGE) && IS_EFI_BOOTABLE(img_report) && (fs_type <= FS_NTFS)) {
 				ErrorStatus = RUFUS_ERROR(ERROR_INSTALL_FAILURE);
 				goto out;
 			}
@@ -1924,7 +1943,8 @@ DWORD WINAPI FormatThread(void* param)
 						ErrorStatus = RUFUS_ERROR(APPERR(ERROR_CANT_PATCH));
 				}
 			} else {
-				assert(!img_report.is_windows_img);
+				if_not_assert(!img_report.is_windows_img)
+					goto out;
 				if (!ExtractISO(image_path, drive_name, FALSE)) {
 					if (!IS_ERROR(ErrorStatus))
 						ErrorStatus = RUFUS_ERROR(APPERR(ERROR_ISO_EXTRACT));

src/iso.c

@@ -1571,8 +1571,8 @@ uint32_t ReadISOFileToBuffer(const char* iso, const char* iso_file, uint8_t** bu
 		goto out;
 	}
 	file_length = udf_get_file_length(p_udf_file);
-	if (file_length > UINT32_MAX) {
-		uprintf("Only files smaller than 4 GB are supported");
+	if (file_length > 1 * GB) {
+		uprintf("Only files smaller than 1 GB are supported");
 		goto out;
 	}
 	nblocks = (uint32_t)((file_length + UDF_BLOCKSIZE - 1) / UDF_BLOCKSIZE);
@@ -1604,10 +1604,11 @@ try_iso:
 		goto out;
 	}
 	file_length = p_statbuf->total_size;
-	if (file_length > UINT32_MAX) {
-		uprintf("Only files smaller than 4 GB are supported");
+	if (file_length > 1 * GB) {
+		uprintf("Only files smaller than 1 GB are supported");
 		goto out;
 	}
+	// coverity[cast_overflow]
 	nblocks = (uint32_t)((file_length + ISO_BLOCKSIZE - 1) / ISO_BLOCKSIZE);
 	*buf = malloc(nblocks * ISO_BLOCKSIZE + 1);
 	if (*buf == NULL) {

src/process.c

@@ -407,7 +407,8 @@ static PWSTR GetProcessCommandLine(HANDLE hProcess)
 
 		ucmdline = (UNICODE_STRING*)(pp + cmd_offset);
 		// In the absolute, someone could craft a process with dodgy attributes to try to cause an overflow
-		ucmdline->Length = min(ucmdline->Length, 512);
+		// coverity[cast_overflow]
+		ucmdline->Length = min(ucmdline->Length, (USHORT)512);
 		wcmdline = (PWSTR)calloc(ucmdline->Length + 1, sizeof(WCHAR));
 		if (!ReadProcessMemory(hProcess, ucmdline->Buffer, wcmdline, ucmdline->Length, NULL)) {
 			safe_free(wcmdline);
@@ -493,8 +494,7 @@ static DWORD WINAPI SearchProcessThread(LPVOID param)
 		// Work on our own copy of the handle names so we don't have to hold the
 		// mutex for string comparison. Update only if the version has changed.
 		if (blocking_process.nVersion[0] != blocking_process.nVersion[1]) {
-			assert(blocking_process.wHandleName != NULL && blocking_process.nHandles != 0);
-			if (blocking_process.wHandleName == NULL || blocking_process.nHandles == 0) {
+			if_not_assert(blocking_process.wHandleName != NULL && blocking_process.nHandles != 0) {
 				ReleaseMutex(hLock);
 				goto out;
 			}
@@ -930,8 +930,7 @@ BYTE GetProcessSearch(uint32_t timeout, uint8_t access_mask, BOOL bIgnoreStalePr
 		return 0;
 	}
 
-	assert(blocking_process.hLock != NULL);
-	if (blocking_process.hLock == NULL)
+	if_not_assert(blocking_process.hLock != NULL)
 		return 0;
 
 retry:

src/registry.h

@@ -37,11 +37,9 @@ static __inline BOOL DeleteRegistryKey(HKEY key_root, const char* key_name)
 	HKEY hSoftware = NULL;
 	LONG s;
 
-	assert(key_root == REGKEY_HKCU);
-	if (key_root != REGKEY_HKCU)
+	if_not_assert(key_root == REGKEY_HKCU)
 		return FALSE;
-	assert(key_name != NULL);
-	if (key_name == NULL)
+	if_not_assert(key_name != NULL)
 		return FALSE;
 
 	if (RegOpenKeyExA(key_root, "SOFTWARE", 0, KEY_READ|KEY_CREATE_SUB_KEY, &hSoftware) != ERROR_SUCCESS)
@@ -135,15 +133,12 @@ static __inline BOOL _SetRegistryKey(HKEY key_root, const char* key_name, DWORD
 	HKEY hRoot = NULL, hApp = NULL;
 	DWORD dwDisp, dwType = reg_type;
 
-	assert(key_name != NULL);
-	if (key_name == NULL)
+	if_not_assert(key_name != NULL)
 		return FALSE;
-	assert(key_root == REGKEY_HKCU);
-	if (key_root != REGKEY_HKCU)
+	if_not_assert(key_root == REGKEY_HKCU)
 		return FALSE;
 	// Validate that we are always dealing with a short key
-	assert(strchr(key_name, '\\') == NULL);
-	if (strchr(key_name, '\\') != NULL)
+	if_not_assert(strchr(key_name, '\\') == NULL)
 		return FALSE;
 
 	if (RegOpenKeyExA(key_root, NULL, 0, KEY_READ|KEY_CREATE_SUB_KEY, &hRoot) != ERROR_SUCCESS) {

src/rufus.c

@@ -1131,7 +1131,8 @@ static void DisplayISOProps(void)
 // Insert the image name into the Boot selection dropdown and (re)populate the Image option dropdown
 static void UpdateImage(BOOL update_image_option_only)
 {
-	assert(image_index != 0);
+	if_not_assert(image_index != 0)
+		return;
 
 	if (!update_image_option_only) {
 		if (ComboBox_GetItemData(hBootType, image_index) == BT_IMAGE)
@@ -1429,8 +1430,7 @@ static DWORD WINAPI BootCheckThread(LPVOID param)
 	}
 
 	if (boot_type == BT_IMAGE) {
-		assert(image_path != NULL);
-		if (image_path == NULL)
+		if_not_assert(image_path != NULL)
 			goto out;
 		if ((size_check) && (img_report.projected_size > (uint64_t)SelectedDrive.DiskSize)) {
 			// This ISO image is too big for the selected target

src/rufus.h

@@ -15,6 +15,7 @@
  * You should have received a copy of the GNU General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
+#include <assert.h>
 #include <windows.h>
 #include <malloc.h>
 #include <inttypes.h>
@@ -36,6 +37,7 @@
 #define MB                          1048576LL
 #define GB                          1073741824LL
 #define TB                          1099511627776LL
+#define PB                          1125899906842624LL
 
 /*
  * Features not ready for prime time and that may *DESTROY* your data - USE AT YOUR OWN RISKS!
@@ -186,6 +188,7 @@ static __inline void static_repchr(char* p, char s, char r) {
 }
 #define to_unix_path(str) static_repchr(str, '\\', '/')
 #define to_windows_path(str) static_repchr(str, '/', '\\')
+#define if_not_assert(cond) assert(cond); if (!(cond))
 
 extern void uprintf(const char *format, ...);
 extern void uprintfs(const char *str);

src/rufus.rc

@@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
 IDD_DIALOG DIALOGEX 12, 12, 232, 326
 STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
 EXSTYLE WS_EX_ACCEPTFILES
-CAPTION "Rufus 4.6.2189"
+CAPTION "Rufus 4.6.2190"
 FONT 9, "Segoe UI Symbol", 400, 0, 0x0
 BEGIN
     LTEXT           "Drive Properties",IDS_DRIVE_PROPERTIES_TXT,8,6,53,12,NOT WS_GROUP
@@ -397,8 +397,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,6,2189,0
- PRODUCTVERSION 4,6,2189,0
+ FILEVERSION 4,6,2190,0
+ PRODUCTVERSION 4,6,2190,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -416,13 +416,13 @@ BEGIN
             VALUE "Comments", "https://rufus.ie"
             VALUE "CompanyName", "Akeo Consulting"
             VALUE "FileDescription", "Rufus"
-            VALUE "FileVersion", "4.6.2189"
+            VALUE "FileVersion", "4.6.2190"
             VALUE "InternalName", "Rufus"
             VALUE "LegalCopyright", "<22> 2011-2024 Pete Batard (GPL v3)"
             VALUE "LegalTrademarks", "https://www.gnu.org/licenses/gpl-3.0.html"
             VALUE "OriginalFilename", "rufus-4.6.exe"
             VALUE "ProductName", "Rufus"
-            VALUE "ProductVersion", "4.6.2189"
+            VALUE "ProductVersion", "4.6.2190"
         END
     END
     BLOCK "VarFileInfo"

src/stdfn.c

@@ -80,8 +80,7 @@ BOOL htab_create(uint32_t nel, htab_table* htab)
 	if (htab == NULL) {
 		return FALSE;
 	}
-	assert(htab->table == NULL);
-	if (htab->table != NULL) {
+	if_not_assert(htab->table == NULL) {
 		uprintf("Warning: htab_create() was called with a non empty table");
 		return FALSE;
 	}
@@ -197,8 +196,7 @@ uint32_t htab_hash(char* str, htab_table* htab)
 	// Not found => New entry
 
 	// If the table is full return an error
-	assert(htab->filled < htab->size);
-	if (htab->filled >= htab->size) {
+	if_not_assert(htab->filled < htab->size) {
 		uprintf("Hash table is full (%d entries)", htab->size);
 		return 0;
 	}
@@ -1199,7 +1197,8 @@ BOOL MountRegistryHive(const HKEY key, const char* pszHiveName, const char* pszH
 	LSTATUS status;
 	HANDLE token = INVALID_HANDLE_VALUE;
 
-	assert((key == HKEY_LOCAL_MACHINE) || (key == HKEY_USERS));
+	if_not_assert((key == HKEY_LOCAL_MACHINE) || (key == HKEY_USERS))
+		return FALSE;
 
 	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &token)) {
 		uprintf("Could not get current process token: %s", WindowsErrorString());
@@ -1230,7 +1229,8 @@ BOOL UnmountRegistryHive(const HKEY key, const char* pszHiveName)
 {
 	LSTATUS status;
 
-	assert((key == HKEY_LOCAL_MACHINE) || (key == HKEY_USERS));
+	if_not_assert((key == HKEY_LOCAL_MACHINE) || (key == HKEY_USERS))
+		return FALSE;
 
 	status = RegUnLoadKeyA(key, pszHiveName);
 	if (status != ERROR_SUCCESS) {

src/stdio.c

@@ -857,7 +857,8 @@ uint32_t ResolveDllAddress(dll_resolver_t* resolver)
 
 	// NB: SymLoadModuleEx() does not load a PDB unless the file has an explicit '.pdb' extension
 	base_address = pfSymLoadModuleEx(hRufus, NULL, path, NULL, DEFAULT_BASE_ADDRESS, 0, NULL, 0);
-	assert(base_address == DEFAULT_BASE_ADDRESS);
+	if_not_assert(base_address == DEFAULT_BASE_ADDRESS)
+		goto out;
 	// On Windows 11 ARM64 the following call will return *TWO* different addresses for the same
 	// call, because most Windows DLL's are ARM64X, which means that they are an unholy union of
 	// both X64 and ARM64 code in the same binary...

src/stdlg.c

@@ -588,7 +588,8 @@ INT_PTR CALLBACK NotificationCallback(HWND hDlg, UINT message, WPARAM wParam, LP
 			return (INT_PTR)TRUE;
 		case IDC_MORE_INFO:
 			if (notification_more_info != NULL) {
-				assert(notification_more_info->callback != NULL);
+				if_not_assert(notification_more_info->callback != NULL)
+					return (INT_PTR)FALSE;
 				if (notification_more_info->id == MORE_INFO_URL) {
 					ShellExecuteA(hDlg, "open", notification_more_info->url, NULL, NULL, SW_SHOWNORMAL);
 				} else {

src/ui.c

@@ -575,7 +575,8 @@ void SetSectionHeaders(HWND hDlg)
 		memset(wtmp, 0, sizeof(wtmp));
 		GetWindowTextW(hCtrl, wtmp, ARRAYSIZE(wtmp) - 4);
 		wlen = wcslen(wtmp);
-		assert(wlen < ARRAYSIZE(wtmp) - 2);
+		if_not_assert(wlen < ARRAYSIZE(wtmp) - 2)
+			break;
 		wtmp[wlen++] = L' ';
 		wtmp[wlen++] = L' ';
 		SetWindowTextW(hCtrl, wtmp);

src/vhd.c

@@ -1006,8 +1006,9 @@ static DWORD WINAPI VhdSaveImageThread(void* param)
 	OVERLAPPED overlapped = { 0 };
 	DWORD r = ERROR_NOT_FOUND, flags;
 
-	assert(img_save->Type == VIRTUAL_STORAGE_TYPE_DEVICE_VHD ||
-		img_save->Type == VIRTUAL_STORAGE_TYPE_DEVICE_VHDX);
+	if_not_assert(img_save->Type == VIRTUAL_STORAGE_TYPE_DEVICE_VHD ||
+		img_save->Type == VIRTUAL_STORAGE_TYPE_DEVICE_VHDX)
+		return ERROR_INVALID_PARAMETER;
 
 	UpdateProgressWithInfoInit(NULL, FALSE);
 

src/wue.c

@@ -905,7 +905,8 @@ BOOL ApplyWindowsCustomization(char drive_letter, int flags)
 			// If we have a windowsPE section, copy the answer files to the root of boot.wim as
 			// Autounattend.xml. This also results in that file being automatically copied over
 			// to %WINDIR%\Panther\unattend.xml for later passes processing.
-			assert(mount_path != NULL);
+			if_not_assert(mount_path != NULL)
+				goto out;
 			static_sprintf(path, "%s\\Autounattend.xml", mount_path);
 			if (!CopyFileU(unattend_xml_path, path, TRUE)) {
 				uprintf("Could not create boot.wim 'Autounattend.xml': %s", WindowsErrorString());