Bug#980311: Fix available!

Thu, 10 Jun 2021 02:57:15 -0700 

Okay,  I found a scanner here which needs the same driver and the fix in
this merge request fixes it for me:

https://gitlab.com/sane-project/backends/-/merge_requests/634

The attached patch should apply on 1.0.32 at least, probably earlier
versions, too. It should be upstream with 1.0.33 then.

Hope it helps!


From 63942f7a7473496d1160f02f5c1da3620525690d Mon Sep 17 00:00:00 2001
From: Wolfram Sang <w...@kernel.org>
Date: Thu, 10 Jun 2021 11:32:04 +0200
Subject: [PATCH] gt68xx: fix use-after-free and two mem leaks

The config file argument needs to be freed when a device is not set.
That was missed for two occasions. The other occasion was freeing it
unconditionally leading to a use-after-free for the regular use case.

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980311

This is the least intrusive fix. The code really wants to be refactored.
Tested with a Mustek 1200 UB Plus.
---
 backend/gt68xx.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/backend/gt68xx.c b/backend/gt68xx.c
index 6e43765d3..08919287a 100644
--- a/backend/gt68xx.c
+++ b/backend/gt68xx.c
@@ -1174,8 +1174,11 @@ static SANE_Status probe_gt68xx_devices(void)
                        new_dev[i]->model->firmware_name);
                 }
               if (i == 0)
-                DBG (5, "sane_init: firmware %s can't be loaded, set device "
-                     "first\n", word);
+                {
+                  DBG (5, "sane_init: firmware %s can't be loaded, set device "
+                       "first\n", word);
+                  free (word);
+                }
             }
           else
             {
@@ -1198,8 +1201,11 @@ static SANE_Status probe_gt68xx_devices(void)
                        new_dev[i]->model->name, new_dev[i]->model->vendor);
                 }
               if (i == 0)
-                DBG (5, "sane_init: can't set vendor name %s, set device "
-                     "first\n", word);
+                {
+                  DBG (5, "sane_init: can't set vendor name %s, set device "
+                       "first\n", word);
+                  free (word);
+                }
             }
           else
             {
@@ -1221,9 +1227,11 @@ static SANE_Status probe_gt68xx_devices(void)
                        new_dev[i]->model->name, new_dev[i]->model->model);
                 }
               if (i == 0)
-                DBG (5, "sane_init: can't set model name %s, set device "
-                     "first\n", word);
-              free (word);
+                {
+                  DBG (5, "sane_init: can't set model name %s, set device "
+                       "first\n", word);
+                  free (word);
+                }
             }
           else
             {
-- 
2.30.2

Attachment: signature.asc
Description: PGP signature

Reply via email to