Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
9
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Switch to GitLab Next
Sign in / Register
Toggle navigation
Open sidebar
sane-project
backends
Commits
27ea994d
Commit
27ea994d
authored
Apr 30, 2020
by
Olaf Meeuwissen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
epsonds: Do not read beyond the end of the token
Addresses GHSL-2020-082, re
#279
.
parent
e52a5bf7
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
8 additions
and
6 deletions
+8
-6
backend/epsonds-cmd.c
backend/epsonds-cmd.c
+8
-6
No files found.
backend/epsonds-cmd.c
View file @
27ea994d
...
...
@@ -255,18 +255,20 @@ static int decode_value(char *buf, int len)
}
/* h000 */
static
char
*
decode_binary
(
char
*
buf
)
static
char
*
decode_binary
(
char
*
buf
,
int
len
)
{
char
tmp
[
6
];
int
hl
;
memcpy
(
tmp
,
buf
,
4
);
tmp
[
4
]
=
'\0'
;
len
-=
4
;
if
(
buf
[
0
]
!=
'h'
)
return
NULL
;
hl
=
strtol
(
tmp
+
1
,
NULL
,
16
);
if
(
hl
>
len
)
hl
=
len
;
if
(
hl
)
{
char
*
v
=
malloc
(
hl
+
1
);
...
...
@@ -279,9 +281,9 @@ static char *decode_binary(char *buf)
return
NULL
;
}
static
char
*
decode_string
(
char
*
buf
)
static
char
*
decode_string
(
char
*
buf
,
int
len
)
{
char
*
p
,
*
s
=
decode_binary
(
buf
);
char
*
p
,
*
s
=
decode_binary
(
buf
,
len
);
if
(
s
==
NULL
)
return
NULL
;
...
...
@@ -326,20 +328,20 @@ static SANE_Status info_cb(void *userdata, char *token, int len)
if
(
strncmp
(
"PRD"
,
token
,
3
)
==
0
)
{
free
(
s
->
hw
->
model
);
s
->
hw
->
model
=
decode_string
(
value
);
s
->
hw
->
model
=
decode_string
(
value
,
len
);
s
->
hw
->
sane
.
model
=
s
->
hw
->
model
;
DBG
(
1
,
" product: %s
\n
"
,
s
->
hw
->
model
);
/* we will free the string later */
}
if
(
strncmp
(
"VER"
,
token
,
3
)
==
0
)
{
char
*
v
=
decode_string
(
value
);
char
*
v
=
decode_string
(
value
,
len
);
DBG
(
1
,
" version: %s
\n
"
,
v
);
free
(
v
);
}
if
(
strncmp
(
"S/N"
,
token
,
3
)
==
0
)
{
char
*
v
=
decode_string
(
value
);
char
*
v
=
decode_string
(
value
,
len
);
DBG
(
1
,
" serial: %s
\n
"
,
v
);
free
(
v
);
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment