Bug#992721: hplip: Scanning with Deskjet 3050A J611 crash
Hello Florence, dear Maintainer,
then attached patch is growing this buffer from 6
to 10 usable bytes, making a size around 1 TB possible.
And tries to break the loop before overrunning the buffer.
Unfortunately I cannot test this patch,
so it is completely untested, just compiles...
Kind regards,
Bernhard
Description: Resize buffer and try not to overrun it
Author: Bernhard Übelacker <bernhardu@mailbox.org>
Bug-Debian: https://bugs.debian.org/992721
Forwarded: no
Last-Update: 2021-09-20
Index: hplip-3.21.6+dfsg0/scan/sane/bb_ledm.c
===================================================================
--- hplip-3.21.6+dfsg0.orig/scan/sane/bb_ledm.c
+++ hplip-3.21.6+dfsg0/scan/sane/bb_ledm.c
@@ -1085,7 +1085,7 @@ bugout:
int get_size(struct ledm_session* ps)
{
struct bb_ledm_session *pbb = ps->bb_session;
- char buffer[7];
+ char buffer[11];
int i=0, tmo=50, len;
if(ps->currentResolution >= 1200) tmo *= 5;
@@ -1093,7 +1093,11 @@ int get_size(struct ledm_session* ps)
while(1)
{
if(http_read_size(pbb->http_handle, buffer+i, 1, tmo, &len) == 2) return 0;
- if( i && *(buffer+i) == '\n' && *(buffer+i-1) == '\r') break;
+ if( (i && *(buffer+i) == '\n' && *(buffer+i-1) == '\r') ||
+ (i >= sizeof(buffer)-1) )
+ {
+ break;
+ }
i++;
}
*(buffer+i+1)='\0';
Reply to: