Bug 1533

Summary: scpi-pps config_list() does out-of-bounds array access when accessing channel_spec (channels) array
Product: libsigrok Reporter: Florian Schmidt <schmidt_florian>
Component: Driver: scpi-ppsAssignee: Nobody <nobody>
Status: RESOLVED FIXED    
Severity: normal CC: uwe
Priority: Normal    
Version: unreleased development snapshot   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Florian Schmidt 2020-04-08 12:56:22 CEST 
causes problems only if PPS has more than one measurable output unit per channel
(like voltage and current).

calling config_list() for channel groups other than only the first channel might result in out-of-bounds access returning garbage.

found with a 4 channel PPS that reports voltage & current per "hardware" channel.

$ sigrok-cli -g 3 --show
reported garbage limits for voltage_target & current_limits.
also SmuView displayed invalid/unusable ranges.

seen with libsigrok master HEAD 2b001a766ad5eadb38ce4025b62b06522b6c52c6.

proposed fix in pull-request https://github.com/sigrokproject/libsigrok/pull/56

i think the problem is caused by using ((struct sr_channel*)cg->channels->data)->index as index into devc->device->channels.
bot scpi-pps/api.c probe_device() can create more channels than there are (struct channel_spec)'s in that array. (comment there says "Create one channel per measurable output unit.") the code there also provides a (struct pps_channel) that includes the "hw_output_idx" which can be used a valid index. this is what i used in that pull-request.
Comment 1 Uwe Hermann 2020-04-11 16:06:39 CEST 
Fixed in 8f3c77db26dece82109b386ad5ba7ea344b1ec8f, thanks!