From ca26e85fd4f42162657aee5a065e93a4cab2b052 Mon Sep 17 00:00:00 2001 From: Seong-Joong Kim Date: Wed, 20 Feb 2019 14:17:27 +0900 Subject: [PATCH] uru4000: Fix integer overflow in imaging_run_state() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ‘img->key_number’ variable is originally from the device through bulk endpoint of USB. The variable is immediately assigned to ‘buf[0]’ for sending to control endpoint of the device. Here, integer overflow may occur when the ‘img->key_number’ attempts to assign a value that is outside of type range of ‘char’ to the ‘buf[0]’ --- libfprint/drivers/uru4000.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libfprint/drivers/uru4000.c b/libfprint/drivers/uru4000.c index 7830c56..6a3722b 100644 --- a/libfprint/drivers/uru4000.c +++ b/libfprint/drivers/uru4000.c @@ -710,7 +710,7 @@ static void imaging_run_state(fpi_ssm *ssm, struct fp_dev *_dev, void *user_data uint32_t key; uint8_t flags, num_lines; int i, r, to, dev2; - char buf[5]; + unsigned char buf[5]; switch (fpi_ssm_get_cur_state(ssm)) { case IMAGING_CAPTURE: