summaryrefslogtreecommitdiff
path: root/debian/patches/0720-mustek_usb2-Avoid-stack-smashing.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/0720-mustek_usb2-Avoid-stack-smashing.patch')
-rw-r--r--debian/patches/0720-mustek_usb2-Avoid-stack-smashing.patch88
1 files changed, 88 insertions, 0 deletions
diff --git a/debian/patches/0720-mustek_usb2-Avoid-stack-smashing.patch b/debian/patches/0720-mustek_usb2-Avoid-stack-smashing.patch
new file mode 100644
index 0000000..747bcde
--- /dev/null
+++ b/debian/patches/0720-mustek_usb2-Avoid-stack-smashing.patch
@@ -0,0 +1,88 @@
+From 93340afddfbc4085a5297fe635b65dd7f7f3ef05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= <bernhardu@mailbox.org>
+Date: Mon, 17 Dec 2018 00:05:43 +0100
+Subject: [PATCH] mustek_usb2: Avoid stack smashing. Fixes #35
+
+Use a properly sized variable in call to sanei_usb_{read,write}_bulk.
+
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886777
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907972
+---
+ backend/mustek_usb2_asic.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/backend/mustek_usb2_asic.c b/backend/mustek_usb2_asic.c
+index b5f3b0a4..b31c7494 100644
+--- a/backend/mustek_usb2_asic.c
++++ b/backend/mustek_usb2_asic.c
+@@ -255,6 +255,7 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+ STATUS status = STATUS_GOOD;
+ unsigned int i, buf[1];
+ unsigned int read_size;
++ size_t read_size_usb;
+
+ DBG (DBG_ASIC, "Mustek_DMARead: Enter\n");
+
+@@ -268,9 +269,11 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+ SetRWSize (chip, 1, buf[0]);
+ status = WriteIOControl (chip, 0x03, 0, 4, (SANE_Byte *) (buf));
+
++ read_size_usb = buf[0];
+ status =
+ sanei_usb_read_bulk (chip->fd, lpdata + i * read_size,
+- (size_t *) buf);
++ &read_size_usb);
++ buf[0] = read_size_usb;
+ if (status != STATUS_GOOD)
+ {
+ DBG (DBG_ERR, "Mustek_DMARead: read error\n");
+@@ -284,9 +287,11 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+ SetRWSize (chip, 1, buf[0]);
+ status = WriteIOControl (chip, 0x03, 0, 4, (SANE_Byte *) (buf));
+
++ read_size_usb = buf[0];
+ status =
+ sanei_usb_read_bulk (chip->fd, lpdata + i * read_size,
+- (size_t *) buf);
++ &read_size_usb);
++ buf[0] = read_size_usb;
+ if (status != STATUS_GOOD)
+ {
+ DBG (DBG_ERR, "Mustek_DMARead: read error\n");
+@@ -307,6 +312,7 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+ unsigned int buf[1];
+ unsigned int i;
+ unsigned int write_size;
++ size_t write_size_usb;
+
+ DBG (DBG_ASIC, "Mustek_DMAWrite: Enter:size=%d\n", size);
+
+@@ -320,9 +326,11 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+ SetRWSize (chip, 0, buf[0]);
+ WriteIOControl (chip, 0x02, 0, 4, (SANE_Byte *) buf);
+
++ write_size_usb = buf[0];
+ status =
+ sanei_usb_write_bulk (chip->fd, lpdata + i * write_size,
+- (size_t *) buf);
++ &write_size_usb);
++ buf[0] = write_size_usb;
+ if (status != STATUS_GOOD)
+ {
+ DBG (DBG_ERR, "Mustek_DMAWrite: write error\n");
+@@ -337,9 +345,11 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+ SetRWSize (chip, 0, buf[0]);
+ WriteIOControl (chip, 0x02, 0, 4, (SANE_Byte *) buf);
+
++ write_size_usb = buf[0];
+ status =
+ sanei_usb_write_bulk (chip->fd, lpdata + i * write_size,
+- (size_t *) buf);
++ &write_size_usb);
++ buf[0] = write_size_usb;
+ if (status != STATUS_GOOD)
+ {
+ DBG (DBG_ERR, "Mustek_DMAWrite: write error\n");
+--
+2.18.1
+