1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
From 93340afddfbc4085a5297fe635b65dd7f7f3ef05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= <bernhardu@mailbox.org>
Date: Mon, 17 Dec 2018 00:05:43 +0100
Subject: [PATCH] mustek_usb2: Avoid stack smashing. Fixes #35
Use a properly sized variable in call to sanei_usb_{read,write}_bulk.
Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886777
Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907972
---
backend/mustek_usb2_asic.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/backend/mustek_usb2_asic.c b/backend/mustek_usb2_asic.c
index b5f3b0a4..b31c7494 100644
--- a/backend/mustek_usb2_asic.c
+++ b/backend/mustek_usb2_asic.c
@@ -255,6 +255,7 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
STATUS status = STATUS_GOOD;
unsigned int i, buf[1];
unsigned int read_size;
+ size_t read_size_usb;
DBG (DBG_ASIC, "Mustek_DMARead: Enter\n");
@@ -268,9 +269,11 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
SetRWSize (chip, 1, buf[0]);
status = WriteIOControl (chip, 0x03, 0, 4, (SANE_Byte *) (buf));
+ read_size_usb = buf[0];
status =
sanei_usb_read_bulk (chip->fd, lpdata + i * read_size,
- (size_t *) buf);
+ &read_size_usb);
+ buf[0] = read_size_usb;
if (status != STATUS_GOOD)
{
DBG (DBG_ERR, "Mustek_DMARead: read error\n");
@@ -284,9 +287,11 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
SetRWSize (chip, 1, buf[0]);
status = WriteIOControl (chip, 0x03, 0, 4, (SANE_Byte *) (buf));
+ read_size_usb = buf[0];
status =
sanei_usb_read_bulk (chip->fd, lpdata + i * read_size,
- (size_t *) buf);
+ &read_size_usb);
+ buf[0] = read_size_usb;
if (status != STATUS_GOOD)
{
DBG (DBG_ERR, "Mustek_DMARead: read error\n");
@@ -307,6 +312,7 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
unsigned int buf[1];
unsigned int i;
unsigned int write_size;
+ size_t write_size_usb;
DBG (DBG_ASIC, "Mustek_DMAWrite: Enter:size=%d\n", size);
@@ -320,9 +326,11 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
SetRWSize (chip, 0, buf[0]);
WriteIOControl (chip, 0x02, 0, 4, (SANE_Byte *) buf);
+ write_size_usb = buf[0];
status =
sanei_usb_write_bulk (chip->fd, lpdata + i * write_size,
- (size_t *) buf);
+ &write_size_usb);
+ buf[0] = write_size_usb;
if (status != STATUS_GOOD)
{
DBG (DBG_ERR, "Mustek_DMAWrite: write error\n");
@@ -337,9 +345,11 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
SetRWSize (chip, 0, buf[0]);
WriteIOControl (chip, 0x02, 0, 4, (SANE_Byte *) buf);
+ write_size_usb = buf[0];
status =
sanei_usb_write_bulk (chip->fd, lpdata + i * write_size,
- (size_t *) buf);
+ &write_size_usb);
+ buf[0] = write_size_usb;
if (status != STATUS_GOOD)
{
DBG (DBG_ERR, "Mustek_DMAWrite: write error\n");
--
2.18.1
|
