diff --git a/ChangeLog b/ChangeLog index 819688b4c..5819165fb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ -2009-10-10 Stéphane Voltz +2009-10-01 Jonathan Bravo Lopez + * backend/hp3900_sane.c: + fix bug 311991: "Bad option sizes let frontend (e.g. xsane) crash" + +2009-10-01 Stéphane Voltz * backend/lexmark_low.c: fix a memleak in find_start_line(), check success of memory allocation after calloc() diff --git a/backend/hp3900_sane.c b/backend/hp3900_sane.c index 826068a5e..4ba2f6c95 100644 --- a/backend/hp3900_sane.c +++ b/backend/hp3900_sane.c @@ -1189,6 +1189,7 @@ options_init (TScanner * scanner) scanner->rng_vertical.quant = 1; /* allocate option lists */ + bknd_info (scanner); bknd_colormodes (scanner, RTS_Debug->dev_model); bknd_depths (scanner, RTS_Debug->dev_model); bknd_models (scanner); @@ -1562,6 +1563,7 @@ options_init (TScanner * scanner) pDesc->constraint_type = SANE_CONSTRAINT_NONE; pDesc->cap = SANE_CAP_ADVANCED | SANE_CAP_SOFT_DETECT; pVal->s = strdup (SANE_I18N ("Unknown")); + pDesc->size = strlen(pVal->s) + 1; break; case opt_chipid: @@ -1981,7 +1983,9 @@ option_get (TScanner * scanner, SANE_Int optid, void *result) case opt_scantype: case opt_model: case opt_chipname: - strcpy (result, scanner->aValues[optid].s); + strncpy (result, scanner->aValues[optid].s, scanner->aOptions[optid].size); + ((char*)result)[scanner->aOptions[optid].size-1] = '\0'; + break; /* scanner buttons */ @@ -2113,6 +2117,7 @@ option_set (TScanner * scanner, SANE_Int optid, void *value, SANE_Int * pInfo) Load_Config (device); /* update options according to selected device */ + bknd_info (scanner); bknd_colormodes (scanner, model); bknd_depths (scanner, model); bknd_resolutions (scanner, model);