[sane-devel] Fwd: [sane-Bugs][315132] fixes too small arrays in backend/niash.c

Olaf Meeuwissen paddy-hack at member.fsf.org
Mon Sep 14 09:28:59 UTC 2015

Stef writes:

>      Hello,
>      I think that this one isn't a bug. I'm considering closing it as 
> 'invalid'. May someone double-check ?

When used through a well-behaved SANE frontend nothing bad will happen.
In that respect it is perhaps not a bug.

It sure it a coding style that is begging for trouble and just waiting
to blow up in your face.

All I have to do to turn it into a bug is write a frontend that calls

  SANE_Word sane_word;
  sane_control_option (h, 17, SANE_ACTION_GET_VALUE, &sane_word, NULL);

and you have a security vulnerability on your hands.
# I thought about passing NULL instead of &sane_word but decided not to
# to avoid an unchecked NULL dereference.

The SANE API Spec has nothing to say on calling sane_control_option with
values of n larger or equal than the option count (optLast for the niash

I don't like the proposed patch much though.  How about the attached?
At least it addresses the above issue(s).  The coding style issue is not
addressed though.

Hope this helps,
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
Support Free Software               Support the Free Software Foundation
https://my.fsf.org/donate                        https://my.fsf.org/join
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-niash.c-Add-argument-screening-to-sane_control_optio.patch
Type: text/x-diff
Size: 1026 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/sane-devel/attachments/20150914/970e8a78/attachment.patch>

More information about the sane-devel mailing list