sane-backends/CVE-2020-12862.patch

From 27ea994d23ee52fe1ec1249c92ebc1080a358288 Mon Sep 17 00:00:00 2001
From: Olaf Meeuwissen <paddy-hack@member.fsf.org>
Date: Thu, 30 Apr 2020 21:15:45 +0900
Subject: [PATCH] epsonds: Do not read beyond the end of the token

Addresses GHSL-2020-082, re #279.
---
 backend/epsonds-cmd.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
index 9a4db3080..7ca660f1f 100644
--- a/backend/epsonds-cmd.c
+++ b/backend/epsonds-cmd.c
@@ -255,18 +255,20 @@ static int decode_value(char *buf, int len)
 }
 
 /* h000 */
-static char *decode_binary(char *buf)
+static char *decode_binary(char *buf, int len)
 {
 	char tmp[6];
 	int hl;
 
 	memcpy(tmp, buf, 4);
 	tmp[4] = '\0';
+	len -= 4;
 
 	if (buf[0] != 'h')
 		return NULL;
 
 	hl = strtol(tmp + 1, NULL, 16);
+	if (hl > len) hl = len;
 	if (hl) {
 
 		char *v = malloc(hl + 1);
@@ -279,9 +281,9 @@ static char *decode_binary(char *buf)
 	return NULL;
 }
 
-static char *decode_string(char *buf)
+static char *decode_string(char *buf, int len)
 {
-	char *p, *s = decode_binary(buf);
+	char *p, *s = decode_binary(buf, len);
 	if (s == NULL)
 		return NULL;
 
@@ -326,20 +328,20 @@ static SANE_Status info_cb(void *userdata, char *token, int len)
 
 	if (strncmp("PRD", token, 3) == 0) {
 		free(s->hw->model);
-		s->hw->model = decode_string(value);
+		s->hw->model = decode_string(value, len);
 		s->hw->sane.model = s->hw->model;
 		DBG(1, " product: %s\n", s->hw->model);
 		/* we will free the string later */
 	}
 
 	if (strncmp("VER", token, 3) == 0) {
-		char *v = decode_string(value);
+		char *v = decode_string(value, len);
 		DBG(1, " version: %s\n", v);
 		free(v);
 	}
 
 	if (strncmp("S/N", token, 3) == 0) {
-		char *v = decode_string(value);
+		char *v = decode_string(value, len);
 		DBG(1, "  serial: %s\n", v);
 		free(v);
 	}
-- 
GitLab
fix CVE-2020-12862 CVE-2020-12865 2021-02-05 16:37:37 +08:00			`From 27ea994d23ee52fe1ec1249c92ebc1080a358288 Mon Sep 17 00:00:00 2001`
			`From: Olaf Meeuwissen <paddy-hack@member.fsf.org>`
			`Date: Thu, 30 Apr 2020 21:15:45 +0900`
			`Subject: [PATCH] epsonds: Do not read beyond the end of the token`

			`Addresses GHSL-2020-082, re #279.`
			`---`
			`backend/epsonds-cmd.c \| 14 ++++++++------`
			`1 file changed, 8 insertions(+), 6 deletions(-)`

			`diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c`
			`index 9a4db3080..7ca660f1f 100644`
			`--- a/backend/epsonds-cmd.c`
			`+++ b/backend/epsonds-cmd.c`
			`@@ -255,18 +255,20 @@ static int decode_value(char *buf, int len)`
			`}`

			`/* h000 */`
			`-static char decode_binary(char buf)`
			`+static char decode_binary(char buf, int len)`
			`{`
			`char tmp[6];`
			`int hl;`

			`memcpy(tmp, buf, 4);`
			`tmp[4] = '\0';`
			`+ len -= 4;`

			`if (buf[0] != 'h')`
			`return NULL;`

			`hl = strtol(tmp + 1, NULL, 16);`
			`+ if (hl > len) hl = len;`
			`if (hl) {`

			`char *v = malloc(hl + 1);`
			`@@ -279,9 +281,9 @@ static char decode_binary(char buf)`
			`return NULL;`
			`}`

			`-static char decode_string(char buf)`
			`+static char decode_string(char buf, int len)`
			`{`
			`- char p, s = decode_binary(buf);`
			`+ char p, s = decode_binary(buf, len);`
			`if (s == NULL)`
			`return NULL;`

			`@@ -326,20 +328,20 @@ static SANE_Status info_cb(void userdata, char token, int len)`

			`if (strncmp("PRD", token, 3) == 0) {`
			`free(s->hw->model);`
			`- s->hw->model = decode_string(value);`
			`+ s->hw->model = decode_string(value, len);`
			`s->hw->sane.model = s->hw->model;`
			`DBG(1, " product: %s\n", s->hw->model);`
			`/* we will free the string later */`
			`}`

			`if (strncmp("VER", token, 3) == 0) {`
			`- char *v = decode_string(value);`
			`+ char *v = decode_string(value, len);`
			`DBG(1, " version: %s\n", v);`
			`free(v);`
			`}`

			`if (strncmp("S/N", token, 3) == 0) {`
			`- char *v = decode_string(value);`
			`+ char *v = decode_string(value, len);`
			`DBG(1, " serial: %s\n", v);`
			`free(v);`
			`}`
			`--`
			`GitLab`