From 283724cf04095835a29dbaf78931edb035340d2b Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 4 Apr 2019 13:27:05 +0200
Subject: [PATCH] mustek backend crashed from stack smashing (upstream issue
 #71)

---
 ..._usb2-Avoid-stack-smashing.-Fixes-35.patch | 88 +++++++++++++++++++
 sane-backends.spec                            |  9 +-
 2 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 0001-mustek_usb2-Avoid-stack-smashing.-Fixes-35.patch

diff --git a/0001-mustek_usb2-Avoid-stack-smashing.-Fixes-35.patch b/0001-mustek_usb2-Avoid-stack-smashing.-Fixes-35.patch
new file mode 100644
index 0000000..2c36b8a
--- /dev/null
+++ b/0001-mustek_usb2-Avoid-stack-smashing.-Fixes-35.patch
@@ -0,0 +1,88 @@
+From 93340afddfbc4085a5297fe635b65dd7f7f3ef05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= <bernhardu@mailbox.org>
+Date: Mon, 17 Dec 2018 00:05:43 +0100
+Subject: [PATCH] mustek_usb2: Avoid stack smashing.  Fixes #35
+
+Use a properly sized variable in call to sanei_usb_{read,write}_bulk.
+
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886777
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907972
+---
+ backend/mustek_usb2_asic.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/backend/mustek_usb2_asic.c b/backend/mustek_usb2_asic.c
+index b5f3b0a4..b31c7494 100644
+--- a/backend/mustek_usb2_asic.c
++++ b/backend/mustek_usb2_asic.c
+@@ -255,6 +255,7 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+   STATUS status = STATUS_GOOD;
+   unsigned int i, buf[1];
+   unsigned int read_size;
++  size_t read_size_usb;
+ 
+   DBG (DBG_ASIC, "Mustek_DMARead: Enter\n");
+ 
+@@ -268,9 +269,11 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+       SetRWSize (chip, 1, buf[0]);
+       status = WriteIOControl (chip, 0x03, 0, 4, (SANE_Byte *) (buf));
+ 
++      read_size_usb = buf[0];
+       status =
+ 	sanei_usb_read_bulk (chip->fd, lpdata + i * read_size,
+-			     (size_t *) buf);
++                             &read_size_usb);
++      buf[0] = read_size_usb;
+       if (status != STATUS_GOOD)
+ 	{
+ 	  DBG (DBG_ERR, "Mustek_DMARead: read error\n");
+@@ -284,9 +287,11 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+       SetRWSize (chip, 1, buf[0]);
+       status = WriteIOControl (chip, 0x03, 0, 4, (SANE_Byte *) (buf));
+ 
++      read_size_usb = buf[0];
+       status =
+ 	sanei_usb_read_bulk (chip->fd, lpdata + i * read_size,
+-			     (size_t *) buf);
++                             &read_size_usb);
++      buf[0] = read_size_usb;
+       if (status != STATUS_GOOD)
+ 	{
+ 	  DBG (DBG_ERR, "Mustek_DMARead: read error\n");
+@@ -307,6 +312,7 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+   unsigned int buf[1];
+   unsigned int i;
+   unsigned int write_size;
++  size_t write_size_usb;
+ 
+   DBG (DBG_ASIC, "Mustek_DMAWrite: Enter:size=%d\n", size);
+ 
+@@ -320,9 +326,11 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+       SetRWSize (chip, 0, buf[0]);
+       WriteIOControl (chip, 0x02, 0, 4, (SANE_Byte *) buf);
+ 
++      write_size_usb = buf[0];
+       status =
+ 	sanei_usb_write_bulk (chip->fd, lpdata + i * write_size,
+-			      (size_t *) buf);
++                              &write_size_usb);
++      buf[0] = write_size_usb;
+       if (status != STATUS_GOOD)
+ 	{
+ 	  DBG (DBG_ERR, "Mustek_DMAWrite: write error\n");
+@@ -337,9 +345,11 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+       SetRWSize (chip, 0, buf[0]);
+       WriteIOControl (chip, 0x02, 0, 4, (SANE_Byte *) buf);
+ 
++      write_size_usb = buf[0];
+       status =
+ 	sanei_usb_write_bulk (chip->fd, lpdata + i * write_size,
+-			      (size_t *) buf);
++                              &write_size_usb);
++      buf[0] = write_size_usb;
+       if (status != STATUS_GOOD)
+ 	{
+ 	  DBG (DBG_ERR, "Mustek_DMAWrite: write error\n");
+-- 
+2.20.1
+
diff --git a/sane-backends.spec b/sane-backends.spec
index e219627..befce72 100644
--- a/sane-backends.spec
+++ b/sane-backends.spec
@@ -33,7 +33,7 @@
 Summary: Scanner access software
 Name: sane-backends
 Version: 1.0.27
-Release: 22%{?dist}
+Release: 23%{?dist}
 # lib/ is LGPLv2+, backends are GPLv2+ with exceptions
 # Tools are GPLv2+, docs are public domain
 # see LICENSE for details
@@ -59,6 +59,9 @@ Patch3: sane-backends-saned-manpage.patch
 Patch4: sane-backends-canon-lide-100.patch
 # Revert samsung patch from upstream (upstream tracker https://alioth.debian.org/tracker/index.php?func=detail&aid=315876&group_id=30186&atid=410366)
 Patch5: sane-backends-revert-samsung-patch.patch
+# Mustek scanner did not work since Fedora 27 due more strict gcc flags
+# Backported from upstream https://gitlab.com/sane-project/backends/commit/93340afddfbc4085a5297fe635b65dd7f7f3ef05
+Patch6: 0001-mustek_usb2-Avoid-stack-smashing.-Fixes-35.patch
 
 URL: http://www.sane-project.org
 
@@ -194,6 +197,7 @@ access image acquisition devices available on the local host.
 %patch3 -p1 -b .saned-manpage
 %patch4 -p1 -b .canon-lide-100
 %patch5 -p1 -b .revert-samsung-patch
+%patch6 -p1 -b .mustek-stack-smash
 
 %build
 CFLAGS="%optflags -fno-strict-aliasing"
@@ -355,6 +359,9 @@ exit 0
 %{_unitdir}/saned@.service
 
 %changelog
+* Wed Apr 03 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-23
+- mustek backend crashed from stack smashing (upstream issue #71)
+
 * Mon Feb 04 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-22
 - 1671510 - Incorrect udev rule in sane-backends