2 files changed, 43 insertions, 8 deletions
diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c
index 78aa3844..4ea10aaa 100644
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -14240,9 +14240,11 @@ BOOL BufferHasPattern (const unsigned char* buffer, size_t bufferLen, const void
 	return bRet;
 }
 
-/* Implementation borrowed from KeePassXC source code (https://github.com/keepassxreboot/keepassxc/blob/release/2.4.0/src/core/Bootstrap.cpp#L150) 
+/* Implementation borrowed from KeePassXC source code (https://github.com/keepassxreboot/keepassxc/blob/2.7.8/src/core/Bootstrap.cpp#L121) 
  *
  * Reduce current user acess rights for this process to the minimum in order to forbid non-admin users from reading the process memory.
+ * Restrict access to changing DACL's after the process is started. This prevents the creator of veracrypt process from simply adding 
+ * the permission to read memory back to the DACL list.
  */
 BOOL ActivateMemoryProtection()
 {
@@ -14252,6 +14254,8 @@ BOOL ActivateMemoryProtection()
     HANDLE hToken = NULL;
     PTOKEN_USER pTokenUser = NULL;
     DWORD cbBufferSize = 0;
+    PSID pOwnerRightsSid = NULL;
+    DWORD pOwnerRightsSidSize = SECURITY_MAX_SID_SIZE;
 
     // Access control list
     PACL pACL = NULL;
@@ -14292,8 +14296,19 @@ BOOL ActivateMemoryProtection()
         goto Cleanup;
     }
 
+    // Retrieve CreaterOwnerRights SID
+    pOwnerRightsSid = (PSID) HeapAlloc(GetProcessHeap(), 0, pOwnerRightsSidSize);
+    if (pOwnerRightsSid == NULL) {
+        goto Cleanup;
+    }
+
+    if (!CreateWellKnownSid(WinCreatorOwnerRightsSid, NULL, pOwnerRightsSid, &pOwnerRightsSidSize)) {
+        goto Cleanup;
+    }
+
     // Calculate the amount of memory that must be allocated for the DACL
-    cbACL = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pTokenUser->User.Sid);
+    cbACL = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pTokenUser->User.Sid) 
+        + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pOwnerRightsSid);
 
     // Create and initialize an ACL
     pACL = (PACL) HeapAlloc(GetProcessHeap(), 0, cbACL);
@@ -14315,6 +14330,17 @@ BOOL ActivateMemoryProtection()
         goto Cleanup;
     }
 
+    // Explicitly set "Process Owner" rights to Read Only. The default is Full Control.
+    if (!AddAccessAllowedAce(
+            pACL,
+            ACL_REVISION,
+            READ_CONTROL,
+            pOwnerRightsSid
+            )) {
+        goto Cleanup;
+    }
+
+
     // Set discretionary access control list
     bSuccess = (ERROR_SUCCESS == SetSecurityInfo(GetCurrentProcess(), // object handle
                                     SE_KERNEL_OBJECT, // type of object
@@ -14333,6 +14359,9 @@ Cleanup:
     if (pACL != NULL) {
         HeapFree(GetProcessHeap(), 0, pACL);
     }
+    if (pOwnerRightsSid != NULL) {
+        HeapFree(GetProcessHeap(), 0, pOwnerRightsSid);
+    }
     if (pTokenUser != NULL) {
         HeapFree(GetProcessHeap(), 0, pTokenUser);
     }
diff --git a/src/Main/TextUserInterface.cpp b/src/Main/TextUserInterface.cpp
index 0de76c6b..94919296 100644
--- a/src/Main/TextUserInterface.cpp
+++ b/src/Main/TextUserInterface.cpp
@@ -668,7 +668,7 @@ namespace VeraCrypt
 				{
 					parentDir = wxT(".");
 				}
-				if (wxDirExists(parentDir) && wxGetDiskSpace (parentDir, nullptr, &diskSpace))
+				if (options->Type == VolumeType::Normal && wxDirExists(parentDir) && wxGetDiskSpace (parentDir, nullptr, &diskSpace))
 				{
 					AvailableDiskSpace = (uint64) diskSpace.GetValue ();
 					if (maxVolumeSize > AvailableDiskSpace)
@@ -678,10 +678,13 @@ namespace VeraCrypt
 
 			if (options->Size == (uint64) (-1))
 			{
-				if (AvailableDiskSpace)
+				if (options->Type == VolumeType::Hidden) {
+					throw_err (_("Please do not use maximum size for hidden volume. As we do not mount the outer volume to determine the available space, it is your responsibility to choose a value so that the hidden volume does not overlap the outer volume."));
+				}
+				else if (AvailableDiskSpace)
 				{
 					// caller requesting maximum size
-					// we use maxVolumeSize because it is guaranteed to be less of equal to AvailableDiskSpace
+					// we use maxVolumeSize because it is guaranteed to be less or equal to AvailableDiskSpace for outer volumes
 					options->Size = maxVolumeSize;
 				}
 				else
@@ -702,14 +705,17 @@ namespace VeraCrypt
 					throw MissingArgument (SRC_POS);
 
 				uint64 multiplier = 1024 * 1024;
-				wxString sizeStr = AskString (options->Type == VolumeType::Hidden ? _("\nEnter hidden volume size (sizeK/size[M]/sizeG/sizeT/max): ") : _("\nEnter volume size (sizeK/size[M]/sizeG.sizeT/max): "));
+				wxString sizeStr = AskString (options->Type == VolumeType::Hidden ? _("\nEnter hidden volume size (sizeK/size[M]/sizeG/sizeT): ") : _("\nEnter volume size (sizeK/size[M]/sizeG.sizeT/max): "));
 				if (sizeStr.CmpNoCase(wxT("max")) == 0)
 				{
 					multiplier = 1;
-					if (AvailableDiskSpace)
+					if (options->Type == VolumeType::Hidden) {
+						throw_err (_("Please do not use maximum size for hidden volume. As we do not mount the outer volume to determine the available space, it is your responsibility to choose a value so that the hidden volume does not overlap the outer volume."));
+					}
+					else if (AvailableDiskSpace)
 					{
 						// caller requesting maximum size
-						// we use maxVolumeSize because it is guaranteed to be less of equal to AvailableDiskSpace
+						// we use maxVolumeSize because it is guaranteed to be less or equal to AvailableDiskSpace for outer volumes
 						options->Size = maxVolumeSize;
 					}
 					else