Possible SEGV (heap bounds overwrite) in init_options() (test.c)
There is a possible heap bounds overwrite in init_options()
from test.c
(see here):
od->size = (SANE_Int) max_string_size (mode_list);
...
test_device->val[opt_mode].s = malloc ((size_t) od->size);
...
strcpy (test_device->val[opt_mode].s, init_mode);
The test_device->val[opt_mode].s
buffer is set to the max mode size. However, the init_mode
string is read directly from a file and could be any length, leading to a buffer overwrite in the call to strcpy()
. This corrupts the heap, leading to a SEGV in a future call to malloc()
.
Stack:
Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=av@entry=0x7ffff7df6c80 <main_arena>, bytes=bytes@entry=4)
at ./malloc/malloc.c:3989
#0 _int_malloc (av=av@entry=0x7ffff7df6c80 <main_arena>, bytes=bytes@entry=4)
at ./malloc/malloc.c:3989
#1 0x00007ffff7c9f592 in __GI___libc_malloc (bytes=bytes@entry=4)
at ./malloc/malloc.c:3297
#2 0x00007ffff771d0eb in init_options (test_device=0x55555557b0f0)
at /build/sane-backends-FM1saq/sane-backends-1.2.1/backend/test.c:469
#3 sane_test_open (devicename=<optimized out>, handle=<optimized out>)
at /build/sane-backends-FM1saq/sane-backends-1.2.1/backend/test.c:2014
#4 0x00007ffff7f96de6 in sane_dll_open (full_name=<optimized out>,
full_name@entry=0x7fffffffe32f "test",
meta_handle=meta_handle@entry=0x5555555644b8 <device>)
at /build/sane-backends-FM1saq/sane-backends-1.2.1/backend/dll.c:1294
#5 0x00007ffff7f96fd9 in sane_open (name=name@entry=0x7fffffffe32f "test",
h=h@entry=0x5555555644b8 <device>)
at /build/sane-backends-FM1saq/sane-backends-1.2.1/backend/dll-s.c:27
#6 0x0000555555557188 in main (argc=<optimized out>, argv=0x7fffffffdff8)
at /usr/src/sane-backends-1.2.1-1/frontend/scanimage.c:2434
PoC:
To reproduce, run scanimage -d test
.