libsane-hpaio: duplex option descriptor uninitialized

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583273

From: Matej Vela <email address hidden>
To: Андрей Парамонов
 <email address hidden>, <email address hidden>
Cc: Julien BLACHE <email address hidden>
Subject: Re: Bug#583273: flegita: Crashes on startup
Date: Thu, 17 May 2012 10:54:44 +0100
[Message part 1 (text/plain, inline)]
On Fri, May 28, 2010 at 10:42:44PM +0200, Julien BLACHE wrote:
> Андрей Парамонов <email address hidden> wrote:
>
>> I've managed to get the following backtrace with hplip debug symbols:
>>
>> 0xb090304c in sane_hpaio_control_option (handle=0x8262800, option=10,
>> action=SANE_ACTION_GET_VALUE, pValue=0x0,
>> pInfo=0xb34b21ac) at scan/sane/hpaio.c:2485
>> 2485 *pIntValue = hpaio->currentDuplex;
>
> I think we have a winner :-) Now you'll just have to figure out why
> gnome-scan passes NULL here :/

Andrey, can you try rebuilding libsane-hpaio with the patch below? Or I can
put together an (unofficial) package -- just let me know which dist/arch.

This is what seems to be happening:

(1) hplip-3.12.2/scan/sane/hpaio.c (sane_hpaio_open) initializes the option
    descriptor array with zeros. Most descriptors are later given actual
    values (hpaioSetupOptions), but OPTION_DUPLEX (index 10) is initialized
    only if duplex is active; if not, its .size is left as 0.

(2) gnome-scan-0.6.2/modules/gsane-scanner.c (gss_option_get_value_by_index)
    fetches the duplex option descriptor, and passes its .size without
    checking to g_malloc0. For a size of 0, g_malloc0 is defined to return
    NULL. This is again passed without checking to sane_control_option,
    which segfaults as soon as it tries to store the return value there.

It's a given that gnome-scan would be better off with more sanity checks,
but I think the right thing to do is for libsane-hpaio to initialize the
OPTION_DUPLEX descriptor unconditionally, to ensure that the return value
from sane_get_option_descriptor is valid for all callers.

(I haven't worked with SANE before, and don't have a scanner to test with,
so take all this with a large grain of salt. :-)

Cheers,

Matej

--- hplip-3.12.2/scan/sane/hpaio.c~ 2012-02-01 11:52:35.000000000 +0000
+++ hplip-3.12.2/scan/sane/hpaio.c 2012-05-17 10:07:20.000000000 +0100
@@ -1342,9 +1342,8 @@
     hpaio->option[OPTION_ADF_MODE].constraint_type = SANE_CONSTRAINT_STRING_LIST;
     hpaio->option[OPTION_ADF_MODE].constraint.string_list = hpaio->adfModeList;

- // Duplex scanning is supported
- if (hpaio->supportsDuplex == 1)
- {
+ // hpaioUpdateDescriptors will leave this active or inactive depending
+ // on whether duplex is supported
        hpaio->option[OPTION_DUPLEX].name = STR_NAME_DUPLEX;
        hpaio->option[OPTION_DUPLEX].title = STR_TITLE_DUPLEX;
        hpaio->option[OPTION_DUPLEX].desc = STR_DESC_DUPLEX;
@@ -1355,7 +1354,7 @@
                                        SANE_CAP_SOFT_DETECT |
                                        SANE_CAP_ADVANCED;
        hpaio->option[OPTION_DUPLEX].constraint_type = SANE_CONSTRAINT_NONE;
- }
+
     hpaio->option[GROUP_GEOMETRY].title = STR_TITLE_GEOMETRY;
     hpaio->option[GROUP_GEOMETRY].type = SANE_TYPE_GROUP;
     hpaio->option[GROUP_GEOMETRY].cap = SANE_CAP_ADVANCED;