[sane-devel] Potential buffer overflow when scanning more than 16384 bytes per line with Brother MFC-6490CW

Yuval Levy yuval.levy at ryerson.ca
Sat Jun 27 18:07:53 UTC 2015

Good day developers!

I need direction and help tracking down a bug.  I have done some
testing, described in detail below, and found that on my system
scanimage hangs if the data for a single line is more than 16384 bytes.

My intuition is that somewhere in the driver or in the scanning software
there is a 16384 bytes limit for a single line, possibly a buffer or a
counter, and the scanner times out when trying to scan a too wide
document at too high resolution.

* Brother MFC-6490CW connected via the network (but I tested also with
USB connection and the same limit applies)
* A plain simple desktop PC, Intel i3-2125, 8GB RAM
* Also tested with an ultrabook, Intel i5-5400, 8GB RAM

Operating System:
* Main operating system on both machines: Xubuntu 14.04.2 LTS 64-bit
* Tested with Ubuntu 15.04 32-bit as well (same results)
* Tested with Windows 7 (no problems at all)

Reproducing the issue:

SANE_DEBUG_DLL=128 scanimage -d "brother3:net1;dev0" --format=tiff -p
--mode "24bit Color" --resolution=600dpi --source="FlatBed" -l 0 -t 0 -x
232 -y 10 > /tmp/test.tif

Relevant output:

[dll] sane_start(handle=0xcff680)
[dll] sane_get_parameters(handle=0xcff680,params=0x7ffc24ac06f0)

then there is a long wait, the scanner times out (hear the noise of the
lamp going back into rest position), scanimage hangs for a while and
then goes wild until interrupted, printing a flurry of


Rounding up the issue:
* No problems scanning that size/density in Windows -- tells me it is
not an issue with the MFC-6940CW itself and narrows the search field to
the linux driver and/or scanning software
* The problem is the same whether I connect the scanner via network (my
default setup) or USB -- tells me it is not an issue with how the data
is transmitted
* The problem is the same in Xubuntu 14.04.2 64-bit and in Ubuntu 15.04
32-bit -- tells me it is not an issue of whether the software was
compiled for 32 or 64 bits, nor that there has been recent addition to
the 'buntu repository version of scanimage that solved the issue

Limiting the issue: scanimage performs as expected if either of these
parameters is changed:
** -x is smaller than 232
** --mode is "True Gray"
** --resolution=600dpi

All three changes have one thing in common: they reduce the weight of
the data generated when scanning one line.

At -x 231, the resulting image is 5456 pixels wide, which is 16368 bytes
at a 24bit.  Very close to 16384, a power of two number often used to
size buffers.  My suspicion is that somewhere between the scanning
software and the driver there is a buffer or a counter limited to 16484
bytes.  When that limit is reached, the scanner is left hanging until it
times out.

I am at the end of my own resources and need further direction / help.
While I do have some experience with building object code from source
code and can follow directions to modify little things and test them, I
am unfamiliar with SANE.  Moreover, part of the software (Brother's
driver) is closed sourced, making it difficult to analyze.  Can somebody
be kind, validate or deconstruct my analysis, and point me to the next
step in identifying and solving the bottleneck?  Short of falling back
to Windows I do not know what to do, and I will rather run this high
volume low priority scan job in the background on my workstation than go
through the trouble of setting up an additional machine for the job.

Many thanks in advance!

Yuval Levy, JD, MBA, CFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20150627/46787f3e/attachment.sig>

More information about the sane-devel mailing list