‘img->key_number’ variable is originally from the device through bulk
endpoint of USB. The variable is immediately assigned to ‘buf[0]’ for
sending to control endpoint of the device. Here, integer overflow may
occur when the ‘img->key_number’ attempts to assign a value that is
outside of type range of ‘char’ to the ‘buf[0]’
Remove the sanity check added in commit b1afa9d, having a poll setup
isn't necessary to use timeouts, as long as only sync functions are
used.
Closes: #139
This will allow us to segragate helper functions that we want to use
within NBIS. The first helper will be a macro checking for overflow in
multiplications.
Free the maps if we're not returning them.
libfprint/nbis/mindtct/maps.c:176:14: warning: Potential leak of memory pointed to by 'direction_map'
return(ret);
^~~
libfprint/nbis/mindtct/maps.c:195:14: warning: Potential leak of memory pointed to by 'low_contrast_map'
return(ret);
^~~
libfprint/nbis/mindtct/maps.c:195:14: warning: Potential leak of memory pointed to by 'low_flow_map'
return(ret);
^~~
libfprint/nbis/bozorth3/bozorth3.c:704:1: warning: Value stored to 'kx' is never read
kx = 0;
^ ~
libfprint/nbis/bozorth3/bozorth3.c:820:4: warning: Value stored to 'l' is never read
l = 1;
^ ~
The first contour wasn't freed if we failed on the second contour.
libfprint/nbis/mindtct/contour.c:521:14: warning: Potential leak of memory pointed to by 'half1_ex'
return(ret);
^~~
libfprint/nbis/mindtct/contour.c:521:14: warning: Potential leak of memory pointed to by 'half1_ey'
return(ret);
^~~
libfprint/nbis/mindtct/contour.c:521:14: warning: Potential leak of memory pointed to by 'half1_x'
return(ret);
^~~
libfprint/nbis/mindtct/contour.c:521:14: warning: Potential leak of memory pointed to by 'half1_y'
return(ret);
^~~
libfprint/drivers/elan.c:351:4: warning: 2nd function call argument is an uninitialized value
dbg_buf(elandev->last_read, transfer->actual_length);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libfprint/drivers/elan.c:46:5: note: expanded from macro 'dbg_buf'
fp_dbg("%02x", buf[0]); \
^~~~~~~~~~~~~~~~~~~~~~
../../../../../../Projects/jhbuild/libfprint/libfprint/fpi-log.h:52:16: note: expanded from macro 'fp_dbg'
#define fp_dbg g_debug
^
libfprint/drivers/elan.c:351:4: warning: The left operand of '<<' is a garbage value
dbg_buf(elandev->last_read, transfer->actual_length);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libfprint/drivers/elan.c:48:27: note: expanded from macro 'dbg_buf'
fp_dbg("%04x", buf[0] << 8 | buf[1]); \
~~~~~~ ^
libfprint/drivers/elan.c:351:4: warning: The left operand of '<<' is a garbage value
dbg_buf(elandev->last_read, transfer->actual_length);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libfprint/drivers/elan.c:50:41: note: expanded from macro 'dbg_buf'
fp_dbg("%04x... (%d bytes)", buf[0] << 8 | buf[1], len)
~~~~~~ ^
By asserting if we have a zero line width.
libfprint/drivers/upeksonly.c:118:7: warning: Division by zero
mean /= (ctx->line_width / 2);
~~~~~^~~~~~~~~~~~~~~~~~~~~~~~
We don't need to assign urudev if we only want the size of one of its
members.
libfprint/drivers/uru4000.c:554:20: warning: Value stored to 'urudev' during its initialization is never read
struct uru4k_dev *urudev = FP_INSTANCE_DATA(FP_DEV(dev));
^~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use GPtrArray to simplify the implementation.
libfprint/fpi-data.c:777:13: warning: Access to field 'data' results in a dereference of a null pointer (loaded from variable 'elem')
list[i] = elem->data;
^~~~~~~~~~
libfprint/fpi-data.c:497:7: warning: 2nd function call argument is an uninitialized value
if (!fp_dev_supports_print_data(dev, fdata)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libfprint/fpi-poll.c:398:11: warning: The left operand of '==' is a garbage value
else if (timercmp(&fprint_timeout, &libusb_timeout, <))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/sys/time.h:162:17: note: expanded from macro 'timercmp'
(((a)->tv_sec == (b)->tv_sec) ? \
~~~~~~~~~~~ ^
libfprint/fpi-ssm.c:244:9: warning: Access to field 'completed' results in a dereference of a null pointer (loaded from variable 'machine')
BUG_ON(machine->completed);
^~~~~~~~~~~~~~~~~~
libfprint/fpi-log.h:84:6: note: expanded from macro 'BUG_ON'
if (condition) { \
^~~~~~~~~
See dda6857fee
and https://bugzilla.redhat.com/show_bug.cgi?id=1656518
When the number of lines to assemble is 1, the median_filter() function
would be passed -1 as its size as it was calculated with:
(num_lines / 2) - 1
so (1 / 2) - 1 = 0 - 1 = -1
Add a guard to stop drivers trying to assemble single lines. This
doesn't however fix the vfs5011 driver that tried to do that.