Description: prevent out-of-bounds Author: Jörg Frings-Fürst <debian@jff-webhosting.net> Forwarded: http://lists.alioth.debian.org/pipermail/sane-devel/2014-October Last-Update: 2014-10-26 --- Index: trunk/backend/genesys_devices.c =================================================================== --- trunk.orig/backend/genesys_devices.c +++ trunk/backend/genesys_devices.c @@ -3362,7 +3362,7 @@ static Genesys_Model canon_formula101_mo 100 }; - +/* put the size on MAX_SCANNERS in genesys_low.h */ static Genesys_USB_Device_Entry genesys_usb_device_list[] = { /* GL646 devices */ {0x03f0, 0x0901, &hp2300c_model}, Index: trunk/backend/genesys_low.h =================================================================== --- trunk.orig/backend/genesys_low.h +++ trunk/backend/genesys_low.h @@ -309,8 +309,9 @@ typedef enum Genesys_Color_Order } Genesys_Color_Order; - -#define MAX_SCANNERS 50 +/* To prevent out-of-bounds errors MAX_SCANNERS must be the size of genesys_usb_device_list */ +/* found on genesys_devices.c */ +#define MAX_SCANNERS 40 #define MAX_RESOLUTIONS 13 #define MAX_DPI 4 Index: trunk/backend/umax1220u-common.c =================================================================== --- trunk.orig/backend/umax1220u-common.c +++ trunk/backend/umax1220u-common.c @@ -972,7 +972,8 @@ move_2100U (UMAX_Handle * scan, int dist unsigned char ope2[3] = { 0x00, 0xff, 0xff }; - unsigned char buf[512]; + /* To prevent out-of-bounds in functions (PAD|CKK)_ARRAY set the size from 512 to 522 */ + unsigned char buf[512 + PAD]; SANE_Status res; Index: trunk/backend/hs2p.h =================================================================== --- trunk.orig/backend/hs2p.h +++ trunk/backend/hs2p.h @@ -264,7 +264,8 @@ typedef struct HS2P_Scanner Option_Value val[NUM_OPTIONS]; SANE_Parameters params; /* SANE image parameters */ /* additional values that don't fit into Option_Value representation */ - SANE_Word gamma_table[GAMMA_LENGTH]; /* Custom Gray Gamma Table */ + /* To prevnted out-of-bounds add + 2 */ + SANE_Word gamma_table[GAMMA_LENGTH + 2]; /* Custom Gray Gamma Table */ /* state information - not options */ Index: trunk/backend/niash.c =================================================================== --- trunk.orig/backend/niash.c +++ trunk/backend/niash.c @@ -64,6 +64,7 @@ /* options enumerator */ +/* on changes please check the typedef struct TScanner */ typedef enum { optCount = 0, @@ -105,8 +106,8 @@ typedef union typedef struct { - SANE_Option_Descriptor aOptions[optLast]; - TOptionValue aValues[optLast]; + SANE_Option_Descriptor aOptions[optGamma + 1]; + TOptionValue aValues[optGamma + 1]; TScanParams ScanParams; THWParams HWParams;