From b3cdfd46195d2dda224dd3be30b6ffed04f1b59d Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 18 2021 06:47:27 +0000
Subject: import sane-backends-1.0.27-22.el8


---

diff --git a/SOURCES/0001-epson2-Rewrite-network-I-O.patch b/SOURCES/0001-epson2-Rewrite-network-I-O.patch
new file mode 100644
index 0000000..cb49af9
--- /dev/null
+++ b/SOURCES/0001-epson2-Rewrite-network-I-O.patch
@@ -0,0 +1,225 @@
+diff -up sane-backends-1.0.27/backend/epson2_net.c.epsonds-issues sane-backends-1.0.27/backend/epson2_net.c
+--- sane-backends-1.0.27/backend/epson2_net.c.epsonds-issues	2016-10-06 02:02:57.000000000 +0200
++++ sane-backends-1.0.27/backend/epson2_net.c	2020-07-28 15:04:58.385405722 +0200
+@@ -32,11 +32,12 @@
+ 
+ #include "sane/sanei_debug.h"
+ 
+-static int
++static ssize_t
+ sanei_epson_net_read_raw(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
+ 		       SANE_Status *status)
+ {
+-	int ready, read = -1;
++	int ready;
++	ssize_t read = -1;
+ 	fd_set readable;
+ 	struct timeval tv;
+ 
+@@ -62,111 +63,136 @@ sanei_epson_net_read_raw(Epson_Scanner *
+ 	return read;
+ }
+ 
+-int
+-sanei_epson_net_read(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
++static ssize_t
++sanei_epson_net_read_buf(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
+ 		       SANE_Status * status)
+ {
+-	ssize_t size;
+ 	ssize_t read = 0;
+-	unsigned char header[12];
+ 
+-	/* read from buffer, if available */
+-	if (s->netptr != s->netbuf) {
+-		DBG(23, "reading %lu from buffer at %p, %lu available\n",
+-			(u_long) wanted, s->netptr, (u_long) s->netlen);
++	DBG(23, "%s: reading up to %lu from buffer at %p, %lu available\n",
++		__func__, (u_long) wanted, s->netptr, (u_long) s->netlen);
+ 
+-		memcpy(buf, s->netptr, wanted);
+-		read = wanted;
++	if ((size_t) wanted > s->netlen) {
++		*status = SANE_STATUS_IO_ERROR;
++		wanted = s->netlen;
++	}
+ 
+-		s->netlen -= wanted;
++	memcpy(buf, s->netptr, wanted);
++	read = wanted;
+ 
+-		if (s->netlen == 0) {
+-			DBG(23, "%s: freeing %p\n", __func__, s->netbuf);
+-			free(s->netbuf);
+-			s->netbuf = s->netptr = NULL;
+-			s->netlen = 0;
+-		}
++	s->netptr += read;
++	s->netlen -= read;
+ 
+-		return read;
++	if (s->netlen == 0) {
++		DBG(23, "%s: freeing %p\n", __func__, s->netbuf);
++		free(s->netbuf);
++		s->netbuf = s->netptr = NULL;
++		s->netlen = 0;
++	}
++
++	return read;
++}
++
++ssize_t
++sanei_epson_net_read(Epson_Scanner *s, unsigned char *buf, ssize_t wanted,
++		       SANE_Status * status)
++{
++	if (wanted < 0) {
++		*status = SANE_STATUS_INVAL;
++		return 0;
++	}
++
++	size_t size;
++	ssize_t read = 0;
++	unsigned char header[12];
++
++	/* read from remainder of buffer */
++	if (s->netptr) {
++		return sanei_epson_net_read_buf(s, buf, wanted, status);
+ 	}
+ 
+ 	/* receive net header */
+-	size = sanei_epson_net_read_raw(s, header, 12, status);
+-	if (size != 12) {
++	read = sanei_epson_net_read_raw(s, header, 12, status);
++	if (read != 12) {
+ 		return 0;
+ 	}
+ 
++	/* validate header */
+ 	if (header[0] != 'I' || header[1] != 'S') {
+ 		DBG(1, "header mismatch: %02X %02x\n", header[0], header[1]);
+ 		*status = SANE_STATUS_IO_ERROR;
+ 		return 0;
+ 	}
+ 
++	/* parse payload size */
+ 	size = be32atoh(&header[6]);
+ 
+-	DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
+-		(u_long) wanted, (u_long) size);
+-
+ 	*status = SANE_STATUS_GOOD;
+ 
+-	if (size == wanted) {
+-
+-		DBG(15, "%s: full read\n", __func__);
++	if (!s->netbuf) {
++		DBG(15, "%s: direct read\n", __func__);
++		DBG(23, "%s: wanted = %lu, available = %lu\n", __func__,
++			(u_long) wanted, (u_long) size);
+ 
+-		read = sanei_epson_net_read_raw(s, buf, size, status);
+-
+-		if (s->netbuf) {
+-			free(s->netbuf);
+-			s->netbuf = NULL;
+-			s->netlen = 0;
++		if ((size_t) wanted > size) {
++			wanted = size;
+ 		}
+ 
+-		if (read < 0) {
+-			return 0;
+-		}
+-		
+-/*	} else if (wanted < size && s->netlen == size) { */
++		read = sanei_epson_net_read_raw(s, buf, wanted, status);
+ 	} else {
+-		DBG(23, "%s: partial read\n", __func__);
++		DBG(15, "%s: buffered read\n", __func__);
++		DBG(23, "%s: bufferable = %lu, available = %lu\n", __func__,
++			(u_long) s->netlen, (u_long) size);
+ 
+-		read = sanei_epson_net_read_raw(s, s->netbuf, size, status);
+-		if (read != size) {
+-			return 0;
++		if (s->netlen > size) {
++			s->netlen = size;
+ 		}
+ 
+-		s->netlen = size - wanted;
+-		s->netptr += wanted;
+-		read = wanted;
+-
+-		DBG(23, "0,4 %02x %02x\n", s->netbuf[0], s->netbuf[4]);
+-		DBG(23, "storing %lu to buffer at %p, next read at %p, %lu bytes left\n",
+-			(u_long) size, s->netbuf, s->netptr, (u_long) s->netlen);
++		/* fill buffer */
++		read = sanei_epson_net_read_raw(s, s->netbuf, s->netlen, status);
++		s->netptr = s->netbuf;
++		s->netlen = (read > 0 ? read : 0);
+ 
+-		memcpy(buf, s->netbuf, wanted);
++		/* copy wanted part */
++		read = sanei_epson_net_read_buf(s, buf, wanted, status);
+ 	}
+ 
+ 	return read;
+ }
+ 
+-
+-int
++size_t
+ sanei_epson_net_write(Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
+ 			size_t buf_size, size_t reply_len, SANE_Status *status)
+ {
+ 	unsigned char *h1, *h2, *payload;
+ 	unsigned char *packet = malloc(12 + 8 + buf_size);
+ 
+-	/* XXX check allocation failure */
++	if (!packet) {
++		*status = SANE_STATUS_NO_MEM;
++		return 0;
++	}
+ 
+ 	h1 = packet;
+ 	h2 = packet + 12;
+ 	payload = packet + 12 + 8;
+ 
+ 	if (reply_len) {
+-		s->netbuf = s->netptr = malloc(reply_len);
++		if (s->netbuf) {
++			DBG(23, "%s, freeing %p, %ld bytes unprocessed\n",
++				__func__, s->netbuf, (u_long) s->netlen);
++			free(s->netbuf);
++			s->netbuf = s->netptr = NULL;
++			s->netlen = 0;
++		}
++		s->netbuf = malloc(reply_len);
++		if (!s->netbuf) {
++			free(packet);
++			*status = SANE_STATUS_NO_MEM;
++			return 0;
++		}
+ 		s->netlen = reply_len;
+-		DBG(24, "allocated %lu bytes at %p\n",
+-			(u_long) reply_len, s->netbuf);
++		DBG(24, "%s: allocated %lu bytes at %p\n", __func__,
++			(u_long) s->netlen, s->netbuf);
+ 	}
+ 
+ 	DBG(24, "%s: cmd = %04x, buf = %p, buf_size = %lu, reply_len = %lu\n",
+diff -up sane-backends-1.0.27/backend/epson2_net.h.epsonds-issues sane-backends-1.0.27/backend/epson2_net.h
+--- sane-backends-1.0.27/backend/epson2_net.h.epsonds-issues	2016-10-06 02:02:57.000000000 +0200
++++ sane-backends-1.0.27/backend/epson2_net.h	2020-07-28 14:51:59.666593530 +0200
+@@ -4,9 +4,9 @@
+ #include <sys/types.h>
+ #include "../include/sane/sane.h"
+ 
+-extern int sanei_epson_net_read(struct Epson_Scanner *s, unsigned char *buf, ssize_t buf_size,
++extern ssize_t sanei_epson_net_read(struct Epson_Scanner *s, unsigned char *buf, ssize_t buf_size,
+ 				SANE_Status *status);
+-extern int sanei_epson_net_write(struct Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
++extern size_t sanei_epson_net_write(struct Epson_Scanner *s, unsigned int cmd, const unsigned char *buf,
+ 				size_t buf_size, size_t reply_len,
+ 				SANE_Status *status);
+ extern SANE_Status sanei_epson_net_lock(struct Epson_Scanner *s);
diff --git a/SPECS/sane-backends.spec b/SPECS/sane-backends.spec
index 2249376..b826b14 100644
--- a/SPECS/sane-backends.spec
+++ b/SPECS/sane-backends.spec
@@ -33,7 +33,7 @@
 Summary: Scanner access software
 Name: sane-backends
 Version: 1.0.27
-Release: 19%{?dist}.1
+Release: 22%{?dist}
 # lib/ is LGPLv2+, backends are GPLv2+ with exceptions
 # Tools are GPLv2+, docs are public domain
 # see LICENSE for details
@@ -61,6 +61,8 @@ Patch4: sane-backends-canon-lide-100.patch
 Patch5: sane-backends-revert-samsung-patch.patch
 # 1852468, 1852467, 1852466, 1852465 - prevent buffer overflow in esci2_img
 Patch6: 0001-epsonds-Prevent-possible-buffer-overflow-when-readin.patch
+# 1852663, 1848097 - NULL pointer dereference in sanei_epson_net_read function
+Patch7: 0001-epson2-Rewrite-network-I-O.patch
 
 URL: http://www.sane-project.org
 
@@ -201,6 +203,7 @@ access image acquisition devices available on the local host.
 %patch4 -p1 -b .canon-lide-100
 %patch5 -p1 -b .revert-samsung-patch
 %patch6 -p1 -b .prevent-buffer-overflow
+%patch7 -p1 -b .rework-epsonds-io
 
 %build
 CFLAGS="%optflags -fno-strict-aliasing"
@@ -370,7 +373,13 @@ exit 0
 %{_unitdir}/saned@.service
 
 %changelog
-* Wed Jul 01 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-19.1
+* Tue Sep 08 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-22
+- related 1852663 - needed to rebuild due infrastructure error
+
+* Thu Sep 03 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-21
+- 1852663, 1848097 - NULL pointer dereference in sanei_epson_net_read function
+
+* Wed Jul 01 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.27-20
 - 1852468, 1852467, 1852466, 1852465 - prevent buffer overflow in esci2_img
 - 1852668, 1852667, 1852666, 1852665 - disable autodiscovery for epsonds backend