depau/libfprint
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

lib: Fix fpi_img_is_sane()

Browse source 
The checks weren't:
- checking whether the width or height were negative
- whether img->width * img->height would overflow, or
  was bigger than G_MAXINT
- whether img->width * img->height was bigger than the total
  length of the buffer

The last one looks like a thinko, it checked for:
(img->length * img->height) < img->length
which is equivalent to:
img->height < 1
which we already check for earlier.

Closes: #85
This commit is contained in:
Bastien Nocera 2018-09-28 18:02:11 +02:00
parent c35ad20249
commit 94450a1d74
1 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
libfprint/fpi-img.c
View file

@ -69,12 +69,19 @@ struct fp_img *fpi_img_new_for_imgdev(struct fp_img_dev *imgdev)
gboolean fpi_img_is_sane(struct fp_img *img)
{
guint len;
/* basic checks */
if (!img->length || !img->width || !img->height)
if (!img->length || img->width <= 0 || img->height <= 0)
return FALSE;
/* buffer is big enough? */
if ((img->length * img->height) < img->length)
/* Are width and height just too big? */
if (!g_uint_checked_mul(&len, img->width, img->height) ||
len > G_MAXINT)
return FALSE;
/* buffer big enough? */
if (len > img->length)
return FALSE;
return TRUE;