2 files changed, 89 insertions, 0 deletions

diff --git a/debian/patches/0720-mustek_usb2-Avoid-stack-smashing.patch b/debian/patches/0720-mustek_usb2-Avoid-stack-smashing.patch
new file mode 100644
index 0000000..747bcde
--- /dev/null
+++ b/debian/patches/0720-mustek_usb2-Avoid-stack-smashing.patch
@@ -0,0 +1,88 @@
+From 93340afddfbc4085a5297fe635b65dd7f7f3ef05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= <bernhardu@mailbox.org>
+Date: Mon, 17 Dec 2018 00:05:43 +0100
+Subject: [PATCH] mustek_usb2: Avoid stack smashing.  Fixes #35
+
+Use a properly sized variable in call to sanei_usb_{read,write}_bulk.
+
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886777
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907972
+---
+ backend/mustek_usb2_asic.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/backend/mustek_usb2_asic.c b/backend/mustek_usb2_asic.c
+index b5f3b0a4..b31c7494 100644
+--- a/backend/mustek_usb2_asic.c
++++ b/backend/mustek_usb2_asic.c
+@@ -255,6 +255,7 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+   STATUS status = STATUS_GOOD;
+   unsigned int i, buf[1];
+   unsigned int read_size;
++  size_t read_size_usb;
+ 
+   DBG (DBG_ASIC, "Mustek_DMARead: Enter\n");
+ 
+@@ -268,9 +269,11 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+       SetRWSize (chip, 1, buf[0]);
+       status = WriteIOControl (chip, 0x03, 0, 4, (SANE_Byte *) (buf));
+ 
++      read_size_usb = buf[0];
+       status =
+ 	sanei_usb_read_bulk (chip->fd, lpdata + i * read_size,
+-			     (size_t *) buf);
++                             &read_size_usb);
++      buf[0] = read_size_usb;
+       if (status != STATUS_GOOD)
+ 	{
+ 	  DBG (DBG_ERR, "Mustek_DMARead: read error\n");
+@@ -284,9 +287,11 @@ Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+       SetRWSize (chip, 1, buf[0]);
+       status = WriteIOControl (chip, 0x03, 0, 4, (SANE_Byte *) (buf));
+ 
++      read_size_usb = buf[0];
+       status =
+ 	sanei_usb_read_bulk (chip->fd, lpdata + i * read_size,
+-			     (size_t *) buf);
++                             &read_size_usb);
++      buf[0] = read_size_usb;
+       if (status != STATUS_GOOD)
+ 	{
+ 	  DBG (DBG_ERR, "Mustek_DMARead: read error\n");
+@@ -307,6 +312,7 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+   unsigned int buf[1];
+   unsigned int i;
+   unsigned int write_size;
++  size_t write_size_usb;
+ 
+   DBG (DBG_ASIC, "Mustek_DMAWrite: Enter:size=%d\n", size);
+ 
+@@ -320,9 +326,11 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+       SetRWSize (chip, 0, buf[0]);
+       WriteIOControl (chip, 0x02, 0, 4, (SANE_Byte *) buf);
+ 
++      write_size_usb = buf[0];
+       status =
+ 	sanei_usb_write_bulk (chip->fd, lpdata + i * write_size,
+-			      (size_t *) buf);
++                              &write_size_usb);
++      buf[0] = write_size_usb;
+       if (status != STATUS_GOOD)
+ 	{
+ 	  DBG (DBG_ERR, "Mustek_DMAWrite: write error\n");
+@@ -337,9 +345,11 @@ Mustek_DMAWrite (PAsic chip, unsigned int size, SANE_Byte * lpdata)
+       SetRWSize (chip, 0, buf[0]);
+       WriteIOControl (chip, 0x02, 0, 4, (SANE_Byte *) buf);
+ 
++      write_size_usb = buf[0];
+       status =
+ 	sanei_usb_write_bulk (chip->fd, lpdata + i * write_size,
+-			      (size_t *) buf);
++                              &write_size_usb);
++      buf[0] = write_size_usb;
+       if (status != STATUS_GOOD)
+ 	{
+ 	  DBG (DBG_ERR, "Mustek_DMAWrite: write error\n");
+-- 
+2.18.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 9a7db3b..464af6b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,4 @@
 0150-genesys-Fix-use-of-uninitialized-variable.patch
 #0130-usb-timeout.patch
 0715-20-sane.hwdb_multi-arch.patch
+0720-mustek_usb2-Avoid-stack-smashing.patch