Bug 2042316

Summary: genesys: backend crashes because it attempts to access a member outside of vector
Product: [Fedora] Fedora Reporter: Rutger Noot <rutger.noot>
Component: sane-backendsAssignee: Nils Philippsen <nphilipp>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: nphilipp, rutger.noot, thibault, zdohnal
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sane-backends-1.1.1-2.fc34 sane-backends-1.1.1-2.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-02 01:15:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
backtrace after abort none

Description Rutger Noot 2022-01-19 08:55:12 UTC 
Created attachment 1851814 [details]
backtrace after abort

Description of problem:
When initiation a scan on a Plustek 8200i film scanner the application aborts (SIGABRT). This happens using xsane as well as simple scan, so it is likely a problem with the backend (the scanner uses genesys)

Version-Release number of selected component (if applicable):
sane-backends-1.0.32-5.fc34.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. launch xsane
2. select plustek usb scanner
3. click "scan" button

Actual results:
The program aborts

Expected results:
scanner scans

Additional info:
Looks a lot like Bug 1761530
Comment 1 Zdenek Dohnal 2022-01-19 13:43:49 UTC 
Hi Rutger,

thank you for reporting the issue!

Ok, so the core of the issue seems the same - the iterator 'size' is again 257 as in #1761530, and the number of elements in the vector 'rgamma' is lesser, so the access outside of the vector causes the abort.

The question is how many elements are in the 'rgamma' vector - the vector itself can be a vector 'dev->gamma_override_tables[0]' if it is not empty, or be created from default template by 'sanei_genesys_create_default_gamma_table()'.

Let's say it is generated from template for now, because it was the case with previous crashes - then I will need to know asic type of the scanner.

--------------------------------------------------------------

So it would be great if you ran xsane in gdb, set breakpoints on sanei_genesys_create_default_gamma_table, run the program, print 'dev->model->asic_type' once it stops and tell me the output.

$ gdb /usr/bin/xsane
(gdb) b sanei_genesys_create_default_gamma_table
(gdb) r
(gdb) p dev->model->asic_type
Comment 2 Rutger Noot 2022-01-19 18:20:54 UTC 
Result of gdb xsane (after first hit of the breakpoint)

(gdb) print dev->model->asic_type
Attempt to extract a component of a value that is not a structure pointer.
(gdb) print dev->model
$1 = (SANE_String_Const) 0x7fffe34a594d "ScanJet 5S"
(gdb) c
Continuing.

Thread 1 "xsane" hit Breakpoint 1, genesys::sanei_genesys_create_default_gamma_table (dev=0x55555577ad80, gamma_table=std::vector of length 0, capacity 0, gamma=1) at genesys/genesys.cpp:359
359	{
(gdb) print dev->model->asic_type
$2 = genesys::AsicType::GL845
(gdb) print dev->model
$3 = (const genesys::Genesys_Model *) 0x55555577ede0
Comment 3 Zdenek Dohnal 2022-01-20 09:29:06 UTC 
Thank you for the data!

So from sanei_genesys_create_default_gamma_table():

    } else if (dev->model->asic_type == AsicType::GL124 ||
               dev->model->asic_type == AsicType::GL846 ||
               dev->model->asic_type == AsicType::GL847) {
        size = 257; 
        max = 65535;
    } else {
        size = 256; 
        max = 65535;
    }

GL845 is missing, so the size is assigned to 256, which is lesser than the size from sanei_genesys_send_gamma_table().

Would you mind trying the testing rpms if they help? 

https://koji.fedoraproject.org/koji/taskinfo?taskID=81509612

Once I have your confirmation, I'll send the patch upstream.
Comment 4 Rutger Noot 2022-01-20 18:03:23 UTC 
It works just fine now, bug fixed. Thanks a lot!
Comment 5 Zdenek Dohnal 2022-01-21 05:36:57 UTC 
Thank you for letting me know! I've sent the patch upstream as https://gitlab.com/sane-project/backends/-/merge_requests/688 .
Comment 6 Fedora Update System 2022-01-24 15:38:21 UTC 
FEDORA-2022-274a29eeef has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-274a29eeef
Comment 7 Fedora Update System 2022-01-24 15:58:21 UTC 
FEDORA-2022-2667d76e7f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2022-2667d76e7f
Comment 8 Fedora Update System 2022-01-25 01:21:17 UTC 
FEDORA-2022-2667d76e7f has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-2667d76e7f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-2667d76e7f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2022-01-25 02:10:29 UTC 
FEDORA-2022-274a29eeef has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-274a29eeef`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-274a29eeef

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2022-02-02 01:15:04 UTC 
FEDORA-2022-2667d76e7f has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Fedora Update System 2022-02-02 01:24:58 UTC 
FEDORA-2022-274a29eeef has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.