Hello again, I have found some more out-of-bounds
- out_of_bounds.patch: prevent multiple out-of-bounds Severity: grave Debian bug: none This patch is including niash_c-array-bounds.patch CU Jörg -- pgp Fingerprint: 7D13 3C60 0A10 DBE1 51F8 EBCB 422B 44B0 BE58 1B6E pgp Key: BE581B6E CAcert Key S/N: 0E:D4:56 Jörg Frings-Fürst D-54526 Niederkail Threema-ID: SYR8SJXB IRC: j_...@freenode.net, j_...@oftc.net
Description: prevent out-of-bounds Author: Jörg Frings-Fürst <deb...@jff-webhosting.net> Forwarded: http://lists.alioth.debian.org/pipermail/sane-devel/2014-October Last-Update: 2014-10-26 --- Index: trunk/backend/genesys_devices.c ==================================================================--- trunk.orig/backend/genesys_devices.c +++ trunk/backend/genesys_devices.c @@ -3362,7 +3362,7 @@ static Genesys_Model canon_formula101_mo 100 }; - +/* put the size on MAX_SCANNERS in genesys_low.h */ static Genesys_USB_Device_Entry genesys_usb_device_list[] = { /* GL646 devices */ {0x03f0, 0x0901, &hp2300c_model}, Index: trunk/backend/genesys_low.h ==================================================================--- trunk.orig/backend/genesys_low.h +++ trunk/backend/genesys_low.h @@ -309,8 +309,9 @@ typedef enum Genesys_Color_Order } Genesys_Color_Order; - -#define MAX_SCANNERS 50 +/* To prevent out-of-bounds errors MAX_SCANNERS must be the size of genesys_usb_device_list */ +/* found on genesys_devices.c */ +#define MAX_SCANNERS 40 #define MAX_RESOLUTIONS 13 #define MAX_DPI 4 Index: trunk/backend/umax1220u-common.c ==================================================================--- trunk.orig/backend/umax1220u-common.c +++ trunk/backend/umax1220u-common.c @@ -972,7 +972,8 @@ move_2100U (UMAX_Handle * scan, int dist unsigned char ope2[3] = { 0x00, 0xff, 0xff }; - unsigned char buf[512]; + /* To prevent out-of-bounds in functions (PAD|CKK)_ARRAY set the size from 512 to 522 */ + unsigned char buf[522]; SANE_Status res; Index: trunk/backend/hs2p.h ==================================================================--- trunk.orig/backend/hs2p.h +++ trunk/backend/hs2p.h @@ -264,7 +264,8 @@ typedef struct HS2P_Scanner Option_Value val[NUM_OPTIONS]; SANE_Parameters params; /* SANE image parameters */ /* additional values that don't fit into Option_Value representation */ - SANE_Word gamma_table[GAMMA_LENGTH]; /* Custom Gray Gamma Table */ + /* To prevnted out-of-bounds add + 2 */ + SANE_Word gamma_table[GAMMA_LENGTH + 2]; /* Custom Gray Gamma Table */ /* state information - not options */ Index: trunk/backend/niash.c ==================================================================--- trunk.orig/backend/niash.c +++ trunk/backend/niash.c @@ -64,6 +64,7 @@ /* options enumerator */ +/* on changes please check the typedef struct TScanner */ typedef enum { optCount = 0, @@ -105,8 +106,8 @@ typedef union typedef struct { - SANE_Option_Descriptor aOptions[optLast]; - TOptionValue aValues[optLast]; + SANE_Option_Descriptor aOptions[optGamma + 1]; + TOptionValue aValues[optGamma + 1]; TScanParams ScanParams; THWParams HWParams;
signature.asc
Description: This is a digitally signed message part.
-- sane-devel mailing list: sane-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/sane-devel Unsubscribe: Send mail with subject "unsubscribe your_password" to sane-devel-requ...@lists.alioth.debian.org
