forked from pool/sane-backends
5db422d7c0
Applied upstream CVE-2017-6318.patch (bsc#1027197) OBS-URL: https://build.opensuse.org/request/show/460922 OBS-URL: https://build.opensuse.org/package/show/graphics/sane-backends?expand=0&rev=83
36 lines
1.1 KiB
Diff
36 lines
1.1 KiB
Diff
--- frontend/saned.c
|
|
+++ frontend/saned.c
|
|
@@ -1992,6 +1992,32 @@ process_request (Wire * w)
|
|
return 1;
|
|
}
|
|
|
|
+ /* Debian BTS #853804 */
|
|
+ if (w->direction == WIRE_DECODE
|
|
+ && req.value_type == SANE_TYPE_STRING
|
|
+ && req.action == SANE_ACTION_GET_VALUE)
|
|
+ {
|
|
+ if (req.value)
|
|
+ {
|
|
+ /* FIXME: If req.value contained embedded NUL
|
|
+ * characters, this is wrong.
|
|
+ */
|
|
+ w->allocated_memory -= (1 + strlen (req.value));
|
|
+ free (req.value);
|
|
+ }
|
|
+ req.value = malloc (req.value_size);
|
|
+ if (!req.value)
|
|
+ {
|
|
+ w->status = ENOMEM;
|
|
+ DBG (DBG_ERR,
|
|
+ "process_request: (control_option) "
|
|
+ "h=%d (%s)\n", req.handle, strerror (w->status));
|
|
+ return 1;
|
|
+ }
|
|
+ memset (req.value, 0, req.value_size);
|
|
+ w->allocated_memory += req.value_size;
|
|
+ }
|
|
+
|
|
can_authorize = 1;
|
|
|
|
memset (&reply, 0, sizeof (reply)); /* avoid leaking bits */
|