Integer multiplication overflows
Hello,
I'm giving libfprint a very quick review for Ubuntu as part of Ubuntu's Main Inclusion Request process. Sadly I do not have sufficient time to follow all code paths through to their conclusions, so I simply look for defensive coding practices.
There's extensive multiplications involving widths and heights in this codebase and none of the multiplications I've inspected appear prepared to handle values that are large enough to cause integer overflows.
There's some functions sanitize_image()
and fpi_img_is_sane()
, but they do not check that the width times height does not overflow. (These functions are not frequently used, so they may not serve as a single point to mitigate against potentially bad inputs.)
Attackers supplying crafted values for the pattern malloc(a * b)
is a common approach to attacking C programs. calloc()
is usually a good replacement for this pattern, but in e.g. morph_TF_map()
unchecked multiplications may also be used for loop bounds.
-
alloc_power_stats()
multiple integer overflow possibilities -
morph_TF_map()
multipliesmw
andmh
together for memory allocations, loop bounds -
lfs_detect_minutiae_V2()
memory allocation withiw*ih
-
pixelize_map()
integer overflows inmalloc()
, loop bounds -
allocate_contour()
integer overflows inmalloc()
-
main()
in./examples/img_capture_continuous.c
integer overflows inmalloc()
-
gen_initial_maps()
integer overflows inmalloc()
,memset()
calls -
interpolate_direction_map()
integer overflows inmalloc()
,memcpy()
calls -
gen_high_curve_map()
integer overflows inmalloc()
,memset()
calls -
gen_initial_imap()
integer overflows inmalloc()
,memset()
calls -
gen_quality_map()
integer overflows inmalloc()
, array index
Thanks