Package: scantool Version: 1.21+dfsg-3 Severity: important Tags: patch When using SCAN CODES button, the program crashes due to buffer overflow in filename variable that is limited to only 30 bytes. Unfortunately the Debian location of the support files requires more than that entire space.
The attached patch expands the hardcoded limit up to FILENAME_MAX - more than necessary but at least it should no longer cause an overflow and there is really no advantage of specifying 60 or 256 bytes instead. This problem does not prevent active reading of sensor parameters, but it does prevent reading of DTC which is rather core diagnostic feature of this program. - Adam -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (50, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.6.7+ (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
Index: scantool-1.21+dfsg/trouble_code_reader.c =================================================================== --- scantool-1.21+dfsg.orig/trouble_code_reader.c 2009-09-15 22:38:42.000000000 -0500 +++ scantool-1.21+dfsg/trouble_code_reader.c 2012-12-24 14:37:29.484907208 -0600 @@ -1221,7 +1221,7 @@ { static PACKFILE *file = NULL; static char current_code_letter = 0; - char file_name[30]; + char file_name[FILENAME_MAX]; if (code_letter == 0) { @@ -1238,7 +1238,8 @@ file = NULL; } - sprintf(file_name, "%s#%ccodes", code_defs_file_name, tolower(code_letter)); + snprintf(file_name, FILENAME_MAX, "%s#%ccodes", code_defs_file_name, tolower(code_letter)); + file_name[FILENAME_MAX-1] = 0; packfile_password(PASSWORD); file = pack_fopen(file_name, F_READ_PACKED); packfile_password(NULL);