Package: scantool
Version: 1.21+dfsg-3
Severity: important
Tags: patch
When using SCAN CODES button, the program crashes due to buffer
overflow in filename variable that is limited to only 30
bytes. Unfortunately the Debian location of the support files requires
more than that entire space.
The attached patch expands the hardcoded limit up to FILENAME_MAX -
more than necessary but at least it should no longer cause an
overflow and there is really no advantage of specifying 60 or 256
bytes instead.
This problem does not prevent active reading of sensor parameters, but
it does prevent reading of DTC which is rather core diagnostic feature
of this program.
- Adam
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.6.7+ (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Index: scantool-1.21+dfsg/trouble_code_reader.c
===================================================================
--- scantool-1.21+dfsg.orig/trouble_code_reader.c 2009-09-15 22:38:42.000000000 -0500
+++ scantool-1.21+dfsg/trouble_code_reader.c 2012-12-24 14:37:29.484907208 -0600
@@ -1221,7 +1221,7 @@
{
static PACKFILE *file = NULL;
static char current_code_letter = 0;
- char file_name[30];
+ char file_name[FILENAME_MAX];
if (code_letter == 0)
{
@@ -1238,7 +1238,8 @@
file = NULL;
}
- sprintf(file_name, "%s#%ccodes", code_defs_file_name, tolower(code_letter));
+ snprintf(file_name, FILENAME_MAX, "%s#%ccodes", code_defs_file_name, tolower(code_letter));
+ file_name[FILENAME_MAX-1] = 0;
packfile_password(PASSWORD);
file = pack_fopen(file_name, F_READ_PACKED);
packfile_password(NULL);
