[sane-devel] Fwd: [sane-Bugs] fixes too small arrays in backend/niash.c
paddy-hack at member.fsf.org
Mon Sep 14 09:28:59 UTC 2015
> I think that this one isn't a bug. I'm considering closing it as
> 'invalid'. May someone double-check ?
When used through a well-behaved SANE frontend nothing bad will happen.
In that respect it is perhaps not a bug.
It sure it a coding style that is begging for trouble and just waiting
to blow up in your face.
All I have to do to turn it into a bug is write a frontend that calls
sane_control_option (h, 17, SANE_ACTION_GET_VALUE, &sane_word, NULL);
and you have a security vulnerability on your hands.
# I thought about passing NULL instead of &sane_word but decided not to
# to avoid an unchecked NULL dereference.
The SANE API Spec has nothing to say on calling sane_control_option with
values of n larger or equal than the option count (optLast for the niash
I don't like the proposed patch much though. How about the attached?
At least it addresses the above issue(s). The coding style issue is not
Hope this helps,
Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27
Support Free Software Support the Free Software Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1026 bytes
Desc: not available
More information about the sane-devel