Possible SEGV (null pointer deref) in sanei_configure_attach()
There appears to be a possible NULL pointer dereference in the the sanei_configure_attach()
function here:
lp = sanei_config_get_string (lp, &token);
if (strncmp (token, "option", 6) == 0)
The sanei_config_get_string()
function can return token=NULL
(see here), but this is not checked before the call to strncmp()
.
Stack:
Thread 1 "scanimage" received signal SIGSEGV, Segmentation fault.
__strncmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:227
#0 __strncmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:227
#1 0x00007ffff77173fa in sanei_configure_attach (config_file=config_file@entry=0x7ffff7723a1f "xerox_mfp.conf", config=config@entry=0x7fffffffb590, attach=attach@entry=0x7ffff77140f0 <list_conf_devices>, data=data@entry=0x0)
at ../sanei/sanei_config.c:298
#2 0x00007ffff7720a5b in sane_xerox_mfp_get_devices (device_list=0x7fffffffb5f0, local=<optimized out>) at /build/sane-backends-FM1saq/sane-backends-1.2.1/backend/xerox_mfp.c:1110
#3 0x00007ffff7fac063 in sane_dll_get_devices (device_list=0x7fffffffb718, local_only=0) at /home/gjd/RRFuzz/debug/sane-backends-1.2.1/backend/dll.c:1098
#4 0x00007ffff7fa6e06 in sane_get_devices (dl=0x7fffffffb718, local=0) at /home/gjd/RRFuzz/debug/sane-backends-1.2.1/backend/dll-s.c:21
#5 0x0000555555558f81 in main (argc=<optimized out>, argv=0x7fffffffdfe8) at /usr/src/sane-backends-1.2.1-1/frontend/scanimage.c:2418
PoC:
To reproduce, run scanimage
with this file in the same directory.