Nick Lamb wrote:
> > I did't look into the new scanning code, but 0.74 had in fact a
> > vulnerability (buffer overrun), if the backend offers actually more data
> > than was precalculated by the front end.
> >
> > This is/was really a bug in the front end Xsane, because the parameters
> > to sane_read (aount of data requestet) don't mention the coming end of
> > the buffer (always requesting 64K/8K).
>
> I'm having trouble understanding this, can you give a concrete example,
> showing the SANE API calls made by Xsane, the response from the backend
> and where this leads to an overrun?
Perhaps I can sniff some debugging output. Unfortunately not here and
now :-(
The point is, that the Xsane frontend allocates a buffer, depending on
the sane_param(? I don't have the specs here?) call returning the
dimensions of the scan window.
Despite this, the frontend always requests blocks of 8KB (gray) and 64KB
(RGB), even if the end of the allocated
picture buffer lies within this chunk size and cannot swallow this whole
chunk.
Thus, any backend that is keen to deliver actually more data than XSane
expects, will overflow XSane's scan buffer.
You I right, I have to deliver some body of evidence :-)))
Mit freundlichen Gruessen / Yours sincerely
Marian Eichholz
- - - - - - - - - - -
Marian Eichholz
Postmaster
freenet.de AG Vorsitzender des Aufsichtsrates: Gerhard Schmid
Deelbögenkamp 4c Vorstand: Eckhard Spoerr (Vors.), Axel Krieger
22297 Hamburg Amtsgericht Hamburg, HRB 74048
-- Source code, list archive, and docs: http://www.mostang.com/sane/ To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com
This archive was generated by hypermail 2b29 : Thu May 10 2001 - 02:04:31 PDT