From 27ea994d23ee52fe1ec1249c92ebc1080a358288 Mon Sep 17 00:00:00 2001
From: Olaf Meeuwissen <[email protected]>
Date: Thu, 30 Apr 2020 21:15:45 +0900
Subject: [PATCH] epsonds: Do not read beyond the end of the token

Addresses GHSL-2020-082, re #279.
---
 backend/epsonds-cmd.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/backend/epsonds-cmd.c b/backend/epsonds-cmd.c
index 9a4db3080..7ca660f1f 100644
--- a/backend/epsonds-cmd.c
+++ b/backend/epsonds-cmd.c
@@ -255,18 +255,20 @@ static int decode_value(char *buf, int len)
 }
 
 /* h000 */
-static char *decode_binary(char *buf)
+static char *decode_binary(char *buf, int len)
 {
 	char tmp[6];
 	int hl;
 
 	memcpy(tmp, buf, 4);
 	tmp[4] = '\0';
+	len -= 4;
 
 	if (buf[0] != 'h')
 		return NULL;
 
 	hl = strtol(tmp + 1, NULL, 16);
+	if (hl > len) hl = len;
 	if (hl) {
 
 		char *v = malloc(hl + 1);
@@ -279,9 +281,9 @@ static char *decode_binary(char *buf)
 	return NULL;
 }
 
-static char *decode_string(char *buf)
+static char *decode_string(char *buf, int len)
 {
-	char *p, *s = decode_binary(buf);
+	char *p, *s = decode_binary(buf, len);
 	if (s == NULL)
 		return NULL;
 
@@ -326,20 +328,20 @@ static SANE_Status info_cb(void *userdata, char *token, int len)
 
 	if (strncmp("PRD", token, 3) == 0) {
 		free(s->hw->model);
-		s->hw->model = decode_string(value);
+		s->hw->model = decode_string(value, len);
 		s->hw->sane.model = s->hw->model;
 		DBG(1, " product: %s\n", s->hw->model);
 		/* we will free the string later */
 	}
 
 	if (strncmp("VER", token, 3) == 0) {
-		char *v = decode_string(value);
+		char *v = decode_string(value, len);
 		DBG(1, " version: %s\n", v);
 		free(v);
 	}
 
 	if (strncmp("S/N", token, 3) == 0) {
-		char *v = decode_string(value);
+		char *v = decode_string(value, len);
 		DBG(1, "  serial: %s\n", v);
 		free(v);
 	}
-- 
GitLab