Bug in sane_close

From: Henning Meier-Geinitz (henningmg@gmx.de)
Date: Wed Jun 07 2000 - 12:26:11 PDT

  • Next message: John Buell: "Fw: Progress (?) with scanner in TurboLinux"

    Hi,

    Jochen Eisinger just found the following bug in sane_close in mustek.c. I
    will fix this in mustek.c. Please check your backend! At least the following
    backends are also affected: abaton, apple, artec, avision, epson, pint,
    qcam, tamarack, umax.

      /* remove handle from list of open handles: */
      prev = 0;
      for (s = first_handle; s; s = s->next)
        {
          if (s == handle)
            break;
          prev = s;
        }
      if (!s)
        {
          DBG(1, "close: invalid handle %p\n", handle);
          return;/* oops, not a handle we know about */
        }

    [...]

      if (prev)
        prev->next = s->next;
      else
        first_handle = s;

      free (handle);

    If the current handle is first_handle, first_handle will point to a freed
    pointer after sane_close. The next sane_close() (if there is another one) will
    probably segfault.

    Fix:

      if (prev)
        prev->next = s->next;
      else
        first_handle = s->next;
                       ^^^^^^^

    This bug was introduced 1996-12-12 in sane-0.3 :-)

    Ciao,
      Henning

    --
    Source code, list archive, and docs: http://www.mostang.com/sane/
    To unsubscribe: echo unsubscribe sane-devel | mail majordomo@mostang.com
    



    This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 12:35:39 PDT