Commit b9b01734 authored by Olaf Meeuwissen's avatar Olaf Meeuwissen

epsonds: Prevent possible buffer overflow when reading image data

Addresses GHSL-2020-084, re #279.
parent e52a5bf7
......@@ -876,6 +876,11 @@ esci2_img(struct epsonds_scanner *s, SANE_Int *length)
return parse_status;
}
/* more data than was accounted for in s->buf */
if (more > s->bsz) {
return SANE_STATUS_IO_ERROR;
}
/* ALWAYS read image data */
if (s->hw->connection == SANE_EPSONDS_NET) {
epsonds_net_request_read(s, more);
......
......@@ -1230,16 +1230,18 @@ sane_start(SANE_Handle handle)
if (s->line_buffer == NULL)
return SANE_STATUS_NO_MEM;
/* ring buffer for front page, twice bsz */
/* transfer buffer size, bsz */
/* XXX read value from scanner */
status = eds_ring_init(&s->front, (65536 * 4) * 2);
s->bsz = (65536 * 4);
/* ring buffer for front page */
status = eds_ring_init(&s->front, s->bsz * 2);
if (status != SANE_STATUS_GOOD) {
return status;
}
/* transfer buffer, bsz */
/* XXX read value from scanner */
s->buf = realloc(s->buf, 65536 * 4);
/* transfer buffer */
s->buf = realloc(s->buf, s->bsz);
if (s->buf == NULL)
return SANE_STATUS_NO_MEM;
......
......@@ -160,6 +160,7 @@ struct epsonds_scanner
Option_Value val[NUM_OPTIONS];
SANE_Parameters params;
size_t bsz; /* transfer buffer size */
SANE_Byte *buf, *line_buffer;
ring_buffer *current, front, back;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment