[PATCH 0/1] MR9483: dlls/sane.ds: Avoid segfault with backends that have integer array options like 'test'
# Segfault in ui.c for backends with array integer options Some Backends offer options that are an array of TYPE_INT values. So opt.size \> sizeof(int). The code in ui.c then calls ``` sane_option_get_value( id - ID_BASE, &i ); ``` In ui.c:181 and expects one integer value to be transfered to i, but a whole array of integers is transfered, overwriting the stack and causing a segmentation fault. # Reproducting the crash Notably the test-Backend offers "red-gamma-table". Just uncomment "test" in ``` /etc/sane.d/dll.conf ``` And try to open the TWAIN user interface and a segfault occurs. But there are also other SANE backends with such options. # Solution For integer options with a size != sizeof(int), no controls for editing are to be generated. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9483
From: Bernd Herd <codeberg(a)herdsoft.com> --- dlls/sane.ds/ui.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dlls/sane.ds/ui.c b/dlls/sane.ds/ui.c index 51c7f54eea9..7c6222673e4 100644 --- a/dlls/sane.ds/ui.c +++ b/dlls/sane.ds/ui.c @@ -382,7 +382,8 @@ static LPDLGTEMPLATEW create_options_page(HDC hdc, int *from_index, return NULL; } } - if (!opt.is_active) + if (!opt.is_active || + (opt.type==TYPE_INT && opt.size!=sizeof(int))) continue; len = create_item(hdc, &opt, ID_BASE + i, &item_tpl, y, &x, &count); -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/9483
This merge request was approved by Esme Povirk. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9483
participants (3)
-
Bernd Herd -
Bernd Herd (@herdsoft)
-
Esme Povirk (@madewokherd)