Bug#583273: libsane-hpaio: duplex option descriptor uninitialized

[Matej Vela]

retitle 583273 libsane-hpaio: duplex option descriptor uninitialized
reassign 583273 hplip/3.12.2-1
tag 583273 patch upstream
thanks

On Thu, May 17, 2012 at 10:17:30PM +0400, Андрей Парамонов wrote:
> 2012/5/17 Matej Vela <vela at debian.org>:
>> Andrey, can you try rebuilding libsane-hpaio with the patch below?  Or I can
>> put together an (unofficial) package -- just let me know which dist/arch.
>>
>> This is what seems to be happening:
>>
>> (1) hplip-3.12.2/scan/sane/hpaio.c (sane_hpaio_open) initializes the option
>>    descriptor array with zeros.  Most descriptors are later given actual
>>    values (hpaioSetupOptions), but OPTION_DUPLEX (index 10) is initialized
>>    only if duplex is active; if not, its .size is left as 0.
>>
>> (2) gnome-scan-0.6.2/modules/gsane-scanner.c (gss_option_get_value_by_index)
>>    fetches the duplex option descriptor, and passes its .size without
>>    checking to g_malloc0.  For a size of 0, g_malloc0 is defined to return
>>    NULL.  This is again passed without checking to sane_control_option,
>>    which segfaults as soon as it tries to store the return value there.
>>
>> It's a given that gnome-scan would be better off with more sanity checks,
>> but I think the right thing to do is for libsane-hpaio to initialize the
>> OPTION_DUPLEX descriptor unconditionally, to ensure that the return value
>> from sane_get_option_descriptor is valid for all callers.
>>
>> (I haven't worked with SANE before, and don't have a scanner to test with,
>> so take all this with a large grain of salt. :-)
>
> I've checked your patch and it works! Flegita appears to be really
> nice program ;-)

Great, let's reassign it then.  Dear hplip maintainers, please let me
know if there's anything I can help with further.

Cheers,

Matej