Description: prevent out-of-bounds
Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
Forwarded: http://lists.alioth.debian.org/pipermail/sane-devel/2014-October
Last-Update: 2014-10-26
---
Index: trunk/backend/genesys_devices.c
===================================================================
--- trunk.orig/backend/genesys_devices.c
+++ trunk/backend/genesys_devices.c
@@ -3362,7 +3362,7 @@ static Genesys_Model canon_formula101_mo
   100
 };
 
-
+/* put the size on MAX_SCANNERS in genesys_low.h */
 static Genesys_USB_Device_Entry genesys_usb_device_list[] = {
   /* GL646 devices */
   {0x03f0, 0x0901, &hp2300c_model},
Index: trunk/backend/genesys_low.h
===================================================================
--- trunk.orig/backend/genesys_low.h
+++ trunk/backend/genesys_low.h
@@ -309,8 +309,9 @@ typedef enum Genesys_Color_Order
 }
 Genesys_Color_Order;
 
-
-#define MAX_SCANNERS 50
+/* To prevent out-of-bounds errors MAX_SCANNERS must be the size of genesys_usb_device_list */
+/* found on genesys_devices.c                                                               */
+#define MAX_SCANNERS 40
 #define MAX_RESOLUTIONS 13
 #define MAX_DPI 4
 
Index: trunk/backend/umax1220u-common.c
===================================================================
--- trunk.orig/backend/umax1220u-common.c
+++ trunk/backend/umax1220u-common.c
@@ -972,7 +972,8 @@ move_2100U (UMAX_Handle * scan, int dist
   unsigned char ope2[3] = {
     0x00, 0xff, 0xff
   };
-  unsigned char buf[512];
+  /* To prevent out-of-bounds in functions (PAD|CKK)_ARRAY set the size from 512 to 522 */
+  unsigned char buf[512 + PAD];
 
 
   SANE_Status res;
Index: trunk/backend/hs2p.h
===================================================================
--- trunk.orig/backend/hs2p.h
+++ trunk/backend/hs2p.h
@@ -264,7 +264,8 @@ typedef struct HS2P_Scanner
   Option_Value val[NUM_OPTIONS];
   SANE_Parameters params;	/* SANE image parameters */
   /* additional values that don't fit into Option_Value representation */
-  SANE_Word gamma_table[GAMMA_LENGTH];	/* Custom Gray Gamma Table */
+  /* To prevnted out-of-bounds add + 2                                 */
+  SANE_Word gamma_table[GAMMA_LENGTH + 2];	/* Custom Gray Gamma Table */
 
   /* state information - not options */
 
Index: trunk/backend/niash.c
===================================================================
--- trunk.orig/backend/niash.c
+++ trunk/backend/niash.c
@@ -64,6 +64,7 @@
 
 
 /* options enumerator */
+/* on changes please check the typedef struct TScanner */
 typedef enum
 {
   optCount = 0,
@@ -105,8 +106,8 @@ typedef union
 
 typedef struct
 {
-  SANE_Option_Descriptor aOptions[optLast];
-  TOptionValue aValues[optLast];
+  SANE_Option_Descriptor aOptions[optGamma + 1];
+  TOptionValue aValues[optGamma + 1];
 
   TScanParams ScanParams;
   THWParams HWParams;