kopia lustrzana https://gitlab.com/sane-project/website
188 wiersze
6.2 KiB
HTML
188 wiersze
6.2 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
|
||
"http://www.w3.org/TR/REC-html40/loose.dtd">
|
||
<HTML>
|
||
<HEAD>
|
||
<TITLE>sane-devel: xsane: Scan buffer overflow possible</TITLE>
|
||
<META NAME="Author" CONTENT="Marian Eichholz (marian.eichholz@freenet-ag.de)">
|
||
<META NAME="Subject" CONTENT="xsane: Scan buffer overflow possible">
|
||
</HEAD>
|
||
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
|
||
<H1>xsane: Scan buffer overflow possible</H1>
|
||
<!-- received="Mon May 28 08:34:50 2001" -->
|
||
<!-- isoreceived="20010528153450" -->
|
||
<!-- sent="Mon, 28 May 2001 17:39:59 +0200" -->
|
||
<!-- isosent="20010528153959" -->
|
||
<!-- name="Marian Eichholz" -->
|
||
<!-- email="marian.eichholz@freenet-ag.de" -->
|
||
<!-- subject="xsane: Scan buffer overflow possible" -->
|
||
<!-- id="3B12714F.E77E9A4D@freenet-ag.de" -->
|
||
<!-- inreplyto="3B1268B2.C3C297BA@rauch-domain.de" -->
|
||
<STRONG>From:</STRONG> Marian Eichholz (<A HREF="mailto:marian.eichholz@freenet-ag.de?Subject=Re:%20xsane:%20Scan%20buffer%20overflow%20possible&In-Reply-To=<3B12714F.E77E9A4D@freenet-ag.de>"><EM>marian.eichholz@freenet-ag.de</EM></A>)<BR>
|
||
<STRONG>Date:</STRONG> Mon May 28 2001 - 08:39:59 PDT
|
||
<P>
|
||
<!-- next="start" -->
|
||
<LI><STRONG>Next message:</STRONG> <A HREF="0400.html">Aristide Aragon: "Microtek, Net, NetBSD"</A>
|
||
<UL>
|
||
<LI><STRONG>Previous message:</STRONG> <A HREF="0398.html">Oliver Rauch: "Re: xsane-0.77 released [PATCHES]"</A>
|
||
<LI><STRONG>In reply to:</STRONG> <A HREF="0398.html">Oliver Rauch: "Re: xsane-0.77 released [PATCHES]"</A>
|
||
<!-- nextthread="start" -->
|
||
<!-- reply="end" -->
|
||
<LI><STRONG>Messages sorted by:</STRONG>
|
||
<A HREF="date.html#399">[ date ]</A>
|
||
<A HREF="index.html#399">[ thread ]</A>
|
||
<A HREF="subject.html#399">[ subject ]</A>
|
||
<A HREF="author.html#399">[ author ]</A>
|
||
</UL>
|
||
<HR NOSHADE><P>
|
||
<!-- body="start" -->
|
||
<P>
|
||
Oliver Rauch wrote:
|
||
<BR>
|
||
<P><EM>> > I didn't want to ask, but the first scan logs looked like the backend
|
||
</EM><BR>
|
||
<EM>> > still requests full blocks whatever would happen.
|
||
</EM><BR>
|
||
<EM>>
|
||
</EM><BR>
|
||
<EM>> ???
|
||
</EM><BR>
|
||
<EM>> The what has this to do with xsane?
|
||
</EM><BR>
|
||
<P>You remember the discussion we had some weeks ago woth the EOF
|
||
<BR>
|
||
detection?
|
||
<BR>
|
||
<P>If not, or it got lost: No worries, I'll cite the proof for Nick Lamb at
|
||
<BR>
|
||
the end.
|
||
<BR>
|
||
<P>Summary: We found, that xsane requests data transfers, even if the
|
||
<BR>
|
||
remaining buffer will be overflowed.
|
||
<BR>
|
||
Particularly, it does not recalculate the "number of bytes" parameter
|
||
<BR>
|
||
(of sane_read()) for the last transfer(s).
|
||
<BR>
|
||
<P>Thus, the backend must be implemented *very* carefully, if it does not
|
||
<BR>
|
||
want to inadvertantly smash XSane's heap, because it cannot know, that
|
||
<BR>
|
||
there is no remaining buffer without help of a limiting "number of
|
||
<BR>
|
||
bytes" parameter.
|
||
<BR>
|
||
<P>Obviously, xsane 0.77 still behaves the same way, and it is great, that
|
||
<BR>
|
||
You announced to fix this issue.
|
||
<BR>
|
||
<P><EM>> > I don't know, if it matters, but when xsane-0.77 prompts for "overwrite
|
||
</EM><BR>
|
||
<EM>> > existing file" the left button has no label/text.
|
||
</EM><BR>
|
||
<EM>>
|
||
</EM><BR>
|
||
<EM>> In wich language? I tested with german and english and everything is ok for me.
|
||
</EM><BR>
|
||
<P>I have a german locale (de_DE).
|
||
<BR>
|
||
<P><EM>> > [To be honest, I updated glibc and xfree and have/had some problems with
|
||
</EM><BR>
|
||
<EM>> > the locales]
|
||
</EM><BR>
|
||
<EM>>
|
||
</EM><BR>
|
||
<EM>> This could be a reason. May be because the "<EFBFBD>" in "<EFBFBD>berschreiben".
|
||
</EM><BR>
|
||
<P>Hmmm... Freeamp has issues in it's GTK interface with umlauts. Well,
|
||
<BR>
|
||
I'll check it, but it's not important.
|
||
<BR>
|
||
<P>Yours,
|
||
<BR>
|
||
<P>Marian Eichholz
|
||
<BR>
|
||
<P>- old mail follows here -----------------------------------------------
|
||
<BR>
|
||
[Subject:EOF buffer overflow with Xsane 0.76]
|
||
<BR>
|
||
<P>Hi friends,
|
||
<BR>
|
||
<P>since Nick asked me for an example: Here I have the proof for the buffer
|
||
<BR>
|
||
overflow with Xsane 0.76.
|
||
<BR>
|
||
<P>I scanned a tiny area in 100 DPI and RGB. Here is the trace:
|
||
<BR>
|
||
<P>[sm3600] mode=0, res=100, BC=[0,0], xywh=[2097,325,945,1181]
|
||
<BR>
|
||
[sm3600] getting parameters (234,99)...
|
||
<BR>
|
||
[sm3600] reading chunk 65536...
|
||
<BR>
|
||
[sm3600] ... line 98 (22932/5)...
|
||
<BR>
|
||
[sm3600] reading chunk 65536...
|
||
<BR>
|
||
[sm3600] cancel called...
|
||
<BR>
|
||
[sm3600] mode=0, res=100, BC=[0,0], xywh=[2097,325,945,1181]
|
||
<BR>
|
||
[sm3600] getting parameters (234,99)...
|
||
<BR>
|
||
<P>The "65536" is the buffer size / transfer length, taht is given by the
|
||
<BR>
|
||
front end to sane_read().
|
||
<BR>
|
||
<P>You can see, that there are only 22932 byte needed for the scan. If I
|
||
<BR>
|
||
wrote more than this amount, Xsane would badly, badly crash (or at
|
||
<BR>
|
||
least, behave *very* strange).
|
||
<BR>
|
||
<P>Nevertheless, it requests 128KB of data at all, and the backend has no
|
||
<BR>
|
||
chance to see, that there is not that much room in the buffers.
|
||
<BR>
|
||
<P>In my opinion, the frontend should request only 22932 bytes, because
|
||
<BR>
|
||
this is the size in the buffer, and the next (EOF) cycle should really
|
||
<BR>
|
||
request only 0 (zero) byte, because the buffer pointer points in fact to
|
||
<BR>
|
||
the first byte *behind* the buffer area.
|
||
<BR>
|
||
<P>IMHO this is a real bug. No worries, the backend copes with that :-)
|
||
<BR>
|
||
<P><PRE>
|
||
--
|
||
Source code, list archive, and docs: <A HREF="http://www.mostang.com/sane/">http://www.mostang.com/sane/</A>
|
||
To unsubscribe: echo unsubscribe sane-devel | mail <A HREF="mailto:majordomo@mostang.com?Subject=Re:%20xsane:%20Scan%20buffer%20overflow%20possible&In-Reply-To=<3B12714F.E77E9A4D@freenet-ag.de>">majordomo@mostang.com</A>
|
||
</PRE>
|
||
<P><!-- body="end" -->
|
||
<HR NOSHADE>
|
||
<UL>
|
||
<!-- next="start" -->
|
||
<LI><STRONG>Next message:</STRONG> <A HREF="0400.html">Aristide Aragon: "Microtek, Net, NetBSD"</A>
|
||
<LI><STRONG>Previous message:</STRONG> <A HREF="0398.html">Oliver Rauch: "Re: xsane-0.77 released [PATCHES]"</A>
|
||
<LI><STRONG>In reply to:</STRONG> <A HREF="0398.html">Oliver Rauch: "Re: xsane-0.77 released [PATCHES]"</A>
|
||
<!-- nextthread="start" -->
|
||
<!-- reply="end" -->
|
||
<LI><STRONG>Messages sorted by:</STRONG>
|
||
<A HREF="date.html#399">[ date ]</A>
|
||
<A HREF="index.html#399">[ thread ]</A>
|
||
<A HREF="subject.html#399">[ subject ]</A>
|
||
<A HREF="author.html#399">[ author ]</A>
|
||
</UL>
|
||
<!-- trailer="footer" -->
|
||
<HR NOSHADE>
|
||
<P>
|
||
<SMALL>
|
||
<EM>
|
||
This archive was generated by <A HREF="http://www.hypermail.org/">hypermail 2b29</A>
|
||
: <EM>Mon May 28 2001 - 08:35:59 PDT</EM>
|
||
</EM>
|
||
</SMALL>
|
||
</BODY>
|
||
</HTML>
|