rpms/sane-backends
7
0
Fork 0
Code Issues Pull Requests Releases Activity

mustek backend crashed from stack smashing (upstream issue #71)

Browse Source
This commit is contained in:
Zdenek Dohnal 2019-04-04 13:27:05 +02:00
parent a6d3b3c323
commit 283724cf04
2 changed files with 96 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
0001-mustek_usb2-Avoid-stack-smashing.-Fixes-35.patch Normal file
View File

@ -0,0 +1,88 @@
From 93340afddfbc4085a5297fe635b65dd7f7f3ef05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= <bernhardu@mailbox.org>
Date: Mon, 17 Dec 2018 00:05:43 +0100
Subject: [PATCH] mustek_usb2: Avoid stack smashing. Fixes #35
Use a properly sized variable in call to sanei_usb_{read,write}_bulk.
Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886777
Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907972
---
backend/mustek_usb2_asic.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/backend/mustek_usb2_asic.c b/backend/mustek_usb2_asic.c
index b5f3b0a4..b31c7494 100644
--- a/backend/mustek_usb2_asic.c
+++ b/backend/mustek_usb2_asic.c
@@ -255,6 +255,7 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
STATUS status = STATUS_GOOD;
unsigned int i, buf[1];
unsigned int read_size;
+ size_t read_size_usb;
DBG (DBG_ASIC, "Mustek_DMARead: Enter\n");
@@ -268,9 +269,11 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
SetRWSize (chip, 1, buf[0]);
status = WriteIOControl (chip, 0x03, 0, 4, (SANE_Byte *) (buf));
+ read_size_usb = buf[0];
status =
sanei_usb_read_bulk (chip->fd, lpdata + i * read_size,
- (size_t *) buf);
+ &read_size_usb);
+ buf[0] = read_size_usb;
if (status != STATUS_GOOD)
{
DBG (DBG_ERR, "Mustek_DMARead: read error\n");
@@ -284,9 +287,11 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
SetRWSize (chip, 1, buf[0]);
status = WriteIOControl (chip, 0x03, 0, 4, (SANE_Byte *) (buf));
+ read_size_usb = buf[0];
status =
sanei_usb_read_bulk (chip->fd, lpdata + i * read_size,
- (size_t *) buf);
+ &read_size_usb);
+ buf[0] = read_size_usb;
if (status != STATUS_GOOD)
{
DBG (DBG_ERR, "Mustek_DMARead: read error\n");
@@ -307,6 +312,7 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
unsigned int buf[1];
unsigned int i;
unsigned int write_size;
+ size_t write_size_usb;
DBG (DBG_ASIC, "Mustek_DMAWrite: Enter:size=%d\n", size);
@@ -320,9 +326,11 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
SetRWSize (chip, 0, buf[0]);
WriteIOControl (chip, 0x02, 0, 4, (SANE_Byte *) buf);
+ write_size_usb = buf[0];
status =
sanei_usb_write_bulk (chip->fd, lpdata + i * write_size,
- (size_t *) buf);
+ &write_size_usb);
+ buf[0] = write_size_usb;
if (status != STATUS_GOOD)
{
DBG (DBG_ERR, "Mustek_DMAWrite: write error\n");
@@ -337,9 +345,11 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
SetRWSize (chip, 0, buf[0]);
WriteIOControl (chip, 0x02, 0, 4, (SANE_Byte *) buf);
+ write_size_usb = buf[0];
status =
sanei_usb_write_bulk (chip->fd, lpdata + i * write_size,
- (size_t *) buf);
+ &write_size_usb);
+ buf[0] = write_size_usb;
if (status != STATUS_GOOD)
{
DBG (DBG_ERR, "Mustek_DMAWrite: write error\n");
--
2.20.1

9
sane-backends.spec
View File

@ -33,7 +33,7 @@
Summary: Scanner access software Summary: Scanner access software
Name: sane-backends Name: sane-backends
Version: 1.0.27 Version: 1.0.27
Release: 22%{?dist} Release: 23%{?dist}
# lib/ is LGPLv2+, backends are GPLv2+ with exceptions # lib/ is LGPLv2+, backends are GPLv2+ with exceptions
# Tools are GPLv2+, docs are public domain # Tools are GPLv2+, docs are public domain
# see LICENSE for details # see LICENSE for details
@ -59,6 +59,9 @@ Patch3: sane-backends-saned-manpage.patch
Patch4: sane-backends-canon-lide-100.patch Patch4: sane-backends-canon-lide-100.patch
# Revert samsung patch from upstream (upstream tracker https://alioth.debian.org/tracker/index.php?func=detail&aid=315876&group_id=30186&atid=410366) # Revert samsung patch from upstream (upstream tracker https://alioth.debian.org/tracker/index.php?func=detail&aid=315876&group_id=30186&atid=410366)
Patch5: sane-backends-revert-samsung-patch.patch Patch5: sane-backends-revert-samsung-patch.patch
# Mustek scanner did not work since Fedora 27 due more strict gcc flags
# Backported from upstream https://gitlab.com/sane-project/backends/commit/93340afddfbc4085a5297fe635b65dd7f7f3ef05
Patch6: 0001-mustek_usb2-Avoid-stack-smashing.-Fixes-35.patch
URL: http://www.sane-project.org URL: http://www.sane-project.org
@ -194,6 +197,7 @@ access image acquisition devices available on the local host.
%patch3 -p1 -b .saned-manpage %patch3 -p1 -b .saned-manpage
%patch4 -p1 -b .canon-lide-100 %patch4 -p1 -b .canon-lide-100
%patch5 -p1 -b .revert-samsung-patch %patch5 -p1 -b .revert-samsung-patch
%patch6 -p1 -b .mustek-stack-smash
%build %build
CFLAGS="%optflags -fno-strict-aliasing" CFLAGS="%optflags -fno-strict-aliasing"
@ -355,6 +359,9 @@ exit 0
%{_unitdir}/saned@.service %{_unitdir}/saned@.service
%changelog %changelog
* Wed Apr 03 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-23
- mustek backend crashed from stack smashing (upstream issue #71)
* Mon Feb 04 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-22 * Mon Feb 04 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-22
- 1671510 - Incorrect udev rule in sane-backends - 1671510 - Incorrect udev rule in sane-backends