Bug#296708: libgphoto2-2: Segfaults after libusb upgrade

Sun, 27 Feb 2005 04:08:43 -0800 

Some more progress on that bug. I have looked at the libgphoto2 sources,
and there is something really strange. All buffers are 4096 bytes long
whereas the requested data size is 32778 bytes. 

This was not a problem with the previous implementation of libusb as it
seems that the camera always return smaller packets. With the new
implementation, the kernel starts by clearing the data buffer believing
it is 32778 bytes long, probably resulting in clearing local variables,
and thus causing the segfault.

I have build a fixed version of libgphoto2 available on
http://temp.aurel32.net/libgphoto2

I have also attached the patch I used. I hope it will work, let me know.

Bye,
Aurelien
 

-- 
  .''`.  Aurelien Jarno               GPG: 1024D/F1BCDB73
 : :' :  Debian GNU/Linux developer | Electrical Engineer
 `. `'   [EMAIL PROTECTED]         | [EMAIL PROTECTED]
   `-    people.debian.org/~aurel32 | www.aurel32.net

--- libgphoto2-2.1.5.orig/camlibs/sierra/library.c
+++ libgphoto2-2.1.5/camlibs/sierra/library.c
@@ -67,6 +67,9 @@
        SIERRA_PACKET_SESSION_END       = 0xff
 };
 
+/* Size of requested packet */
+#define SIERRA_PACKET_SIZE             32774
+
 /* Sub-types */
 #define SUBSIERRA_PACKET_COMMAND_FIRST   0x53
 #define SUBSIERRA_PACKET_COMMAND         0x43
@@ -518,7 +521,7 @@
 
        switch (camera->port->type) {
        case GP_PORT_USB:
-               blocksize = 32774;
+               blocksize = SIERRA_PACKET_SIZE;
                break;
        case GP_PORT_SERIAL:
                blocksize = 1;
@@ -732,7 +735,7 @@
 sierra_transmit_ack (Camera *camera, char *packet, GPContext *context)
 {
        int r = 0, result;
-       unsigned char buf[4096];
+       unsigned char buf[SIERRA_PACKET_SIZE];
 
        while (1) {
                if (gp_context_cancel (context) == GP_CONTEXT_FEEDBACK_CANCEL)
@@ -844,7 +847,7 @@
 int
 sierra_init (Camera *camera, GPContext *context) 
 {
-       unsigned char buf[4096], packet[4096];
+       unsigned char buf[SIERRA_PACKET_SIZE], packet[4096];
        int ret, r = 0;
        GPPortSettings settings;
 
@@ -977,7 +980,7 @@
 int sierra_sub_action (Camera *camera, SierraAction action, int sub_action,
                       GPContext *context)
 {
-       char buf[4096];
+       char buf[SIERRA_PACKET_SIZE];
 
        CHECK (sierra_build_packet (camera, SIERRA_PACKET_COMMAND, 0, 3, buf));
        buf[4] = 0x02;
@@ -1038,7 +1041,7 @@
 int sierra_get_int_register (Camera *camera, int reg, int *value, GPContext 
*context) 
 {
        int r = 0;
-       unsigned char p[4096], buf[4096];
+       unsigned char p[4096], buf[SIERRA_PACKET_SIZE];
 
        GP_DEBUG ("sierra_get_int_register: register 0x%02x...", reg);

Reply via email to