Canon backend exhibits segfault during open

StacktraceTop:strlen () at ../sysdeps/x86_64/strlen.S:48
*__GI___strdup (s=0x0) at strdup.c:42
sane_canon_open (devnam=<value optimized out>,
sane_dll_open (
xsane_device_dialog () at xsane.c:4892

I'm trying to debug this and am having a little bit of difficulty. I'm able to use the following configure command to compile debugging symbols into libsane, but am unable to disable optimizations. This is preventing me from seeing many relevant variables when stepping through with gdb. I'm still a little new at debugging, any suggestions?

./configure --prefix=/usr --sysconfdir=/etc --enable-debug=yes --disable-optimization

However, I think I've found the root of the problem. I'm building a vanilla libsane 1.0.20 from the sane project's download mirror. The problem lies in backends/canon.c.

line 255 parses the "film type" from what I believe is a message from my scanner hardware. During normal runs this value is 0. Occasionally I see 5 being returned. This causes a segfault at line 1763 since it overflows the tpu_filmtype_list array. That array is defined at line 183 and only has 5 elements. So, strdup is given a bogus string pointer and generates a seg fault when trying to determine its length.

The sensible solution to this problem is to a bounds check near line 255 to restrict the film type to a sane value given the hard coded array.

FWIW my scanner is a Canon FB1200S (model #IX-12015E) which connects through an Adaptec AIC-7850 scsi controller.

If someone could point me to some docs on Ubuntu's process to submit a patch I could give it a shot myself.

Note: I've also created an upstream bug report on the sane bugtracker. #311685
https://alioth.debian.org/tracker/?func=detail&atid=410366&aid=311685&group_id=30186

Update:
   This has been resolved upstream in the sane git repository (git://git.debian.org/sane/sane-backends.git). The commit ids are:

006d5c4197a6afe8ea090dceb01f1d07377d8032
7dab2ed86b4950b45b84c0c09623cdd7cbf2abda

Is there any chance this could get added into the Ubuntu patchset for the libsane package?

Thanks.

This bug is present in Karmic (released). I'm on 32-bit, and I'd say this happens more than 50% of the time, but less than 100%.

I'm a little disappointed with the amount of help / suggestions I've received on how to incorporate a fix for this into the ubuntu patchset for the sane library. Considering I went through the work of diagnosing the problem and working with upstream to get a fix commited, why can't I get any direction on how to incorporate this into Ubuntu?

Paul, sad indeed that nobody picked up your work. I suppose it has trickled into Debian and thus Ubuntu on its own by now. Can you confirm that the problem is fixed at least in Trusty or later?

I'll have to assume it's fixed indeed