From 484743f652bdb238568b1b8cf815c7f6dd9ca724 Mon Sep 17 00:00:00 2001
From: Benjamin Berg <bberg@redhat.com>
Date: Thu, 7 May 2020 20:13:00 +0200
Subject: [PATCH] upekts: Assert correct packet length in __handle_incoming_msg

The surrounding code already checks this and reads the correct amount.
Add an assert to ensure we really never do an out of bounds read.
---
 libfprint/drivers/upekts.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/libfprint/drivers/upekts.c b/libfprint/drivers/upekts.c
index c9a8a2e..e6fac76 100644
--- a/libfprint/drivers/upekts.c
+++ b/libfprint/drivers/upekts.c
@@ -235,12 +235,19 @@ __handle_incoming_msg (FpDevice             *device,
 {
   GError *error = NULL;
   guint8 *buf = udata->buffer;
-  guint16 len = ((buf[5] & 0xf) << 8) | buf[6];
-  guint16 computed_crc = udf_crc (buf + 4, len + 3);
-  guint16 msg_crc = (buf[len + 8] << 8) | buf[len + 7];
+  guint16 len;
+  guint16 computed_crc;
+  guint16 msg_crc;
   unsigned char *retdata = NULL;
   unsigned char code_a, code_b;
 
+  g_assert (udata->buflen >= 6);
+  len = ((buf[5] & 0xf) << 8) | buf[6];
+
+  g_assert (udata->buflen >= len + 9);
+  computed_crc = udf_crc (buf + 4, len + 3);
+  msg_crc = (buf[len + 8] << 8) | buf[len + 7];
+
   if (computed_crc != msg_crc)
     {
       fp_err ("CRC failed, got %04x expected %04x", msg_crc, computed_crc);