Bug#992721: hplip: Scanning with Deskjet 3050A J611 crash

To: Florence Birée <florence@biree.name>
Cc: 992721@bugs.debian.org, Brian Potkin <claremont102@gmail.com>
Subject: Bug#992721: hplip: Scanning with Deskjet 3050A J611 crash
From: Bernhard Übelacker <bernhardu@mailbox.org>
Date: Mon, 20 Sep 2021 19:18:11 +0200
Message-id: <[🔎] d3bb3331-4308-39e5-ba14-27beb3923ded@mailbox.org>
Reply-to: Bernhard Übelacker <bernhardu@mailbox.org>, 992721@bugs.debian.org
In-reply-to: <[🔎] 20210920103803.0d172603@lyra>
References: <20210823173511.4c700c0e@lyra> <23082021170232.840ff9004726@desktop.copernicus.org.uk> <162965150697.40196.288584652265280008.reportbug@lyra> <20210823210409.659de0d8@lyra> <23082021234811.071c6921d020@desktop.copernicus.org.uk> <162965150697.40196.288584652265280008.reportbug@lyra> <20210824111815.7a445a56@lyra> <24082021104322.78884acca768@desktop.copernicus.org.uk> <162965150697.40196.288584652265280008.reportbug@lyra> <20210824123419.47f8871c@lyra> <24082021131512.66ccde530bde@desktop.copernicus.org.uk> <24082021131512.66ccde530bde@desktop.copernicus.org.uk> <[🔎] bd5fcf65-adb9-1916-e76e-1e98d948b895@mailbox.org> <[🔎] 20210915190036.166f7453@lyra> <[🔎] 0a5a0a88-74bb-b8c6-a00a-8864ddcffa29@mailbox.org> <[🔎] 20210920103803.0d172603@lyra> <162965150697.40196.288584652265280008.reportbug@lyra>

Hello Florence, dear Maintainer,
then attached patch is growing this buffer from 6
to 10 usable bytes, making a size around 1 TB possible.
And tries to break the loop before overrunning the buffer.

Unfortunately I cannot test this patch,
so it is completely untested, just compiles...

Kind regards,
Bernhard

Description: Resize buffer and try not to overrun it

Author: Bernhard Übelacker <bernhardu@mailbox.org>
Bug-Debian: https://bugs.debian.org/992721
Forwarded: no
Last-Update: 2021-09-20

Index: hplip-3.21.6+dfsg0/scan/sane/bb_ledm.c
===================================================================
--- hplip-3.21.6+dfsg0.orig/scan/sane/bb_ledm.c
+++ hplip-3.21.6+dfsg0/scan/sane/bb_ledm.c
@@ -1085,7 +1085,7 @@ bugout:
 int get_size(struct ledm_session* ps)
 {
   struct bb_ledm_session *pbb = ps->bb_session;
-  char buffer[7];
+  char buffer[11];
   int i=0, tmo=50, len;
 
   if(ps->currentResolution >= 1200) tmo *= 5;
@@ -1093,7 +1093,11 @@ int get_size(struct ledm_session* ps)
   while(1)
   {
     if(http_read_size(pbb->http_handle, buffer+i, 1, tmo, &len) == 2) return 0;
-    if( i && *(buffer+i) == '\n' && *(buffer+i-1) == '\r') break;
+    if( (i && *(buffer+i) == '\n' && *(buffer+i-1) == '\r') ||
+        (i >= sizeof(buffer)-1) )
+    {
+      break;
+    }
     i++;
   }
   *(buffer+i+1)='\0';

Reply to:

Follow-Ups:
- Bug#992721: hplip: Scanning with Deskjet 3050A J611 crash
  - From: Florence Birée <florence@biree.name>

References:
- Bug#992721: hplip: Scanning with Deskjet 3050A J611 crash
  - From: Bernhard Übelacker <bernhardu@mailbox.org>
- Bug#992721: hplip: Scanning with Deskjet 3050A J611 crash
  - From: Florence Birée <florence@biree.name>
- Bug#992721: hplip: Scanning with Deskjet 3050A J611 crash
  - From: Bernhard Übelacker <bernhardu@mailbox.org>
- Bug#992721: hplip: Scanning with Deskjet 3050A J611 crash
  - From: Florence Birée <florence@biree.name>

Prev by Date: cups-pdf_3.0.1-11_source.changes ACCEPTED into unstable
Next by Date: Processed: [bts-link] source package cups
Previous by thread: Bug#992721: hplip: Scanning with Deskjet 3050A J611 crash
Next by thread: Bug#992721: hplip: Scanning with Deskjet 3050A J611 crash
Index(es):
- Date
- Thread