Bug in sane_close

• Previous message: Dave Hill: "Re: Latest sane CVS, Epson GT7000 and xsane"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Jochen Eisinger just found the following bug in sane_close in mustek.c. I
will fix this in mustek.c. Please check your backend! At least the following
backends are also affected: abaton, apple, artec, avision, epson, pint,
qcam, tamarack, umax.

  /* remove handle from list of open handles: */
  prev = 0;
  for (s = first_handle; s; s = s->next)
    {
      if (s == handle)
        break;
      prev = s;
    }
  if (!s)
    {
      DBG(1, "close: invalid handle %p\n", handle);
      return;/* oops, not a handle we know about */
    }

[...]

  if (prev)
    prev->next = s->next;
  else
    first_handle = s;

  free (handle);

If the current handle is first_handle, first_handle will point to a freed
pointer after sane_close. The next sane_close() (if there is another one) will
probably segfault.

Fix:

  if (prev)
    prev->next = s->next;
  else
    first_handle = s->next;
                   ^^^^^^^

This bug was introduced 1996-12-12 in sane-0.3 :-)

Ciao,
  Henning

--
Source code, list archive, and docs: http://www.mostang.com/sane/
To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com

• Next message: John Buell: "Fw: Progress (?) with scanner in TurboLinux"
• Previous message: Dave Hill: "Re: Latest sane CVS, Epson GT7000 and xsane"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 12:35:39 PDT