-
Seong-Joong Kim authored
‘img->key_number’ variable is originally from the device through bulk endpoint of USB. The variable is immediately assigned to ‘buf[0]’ for sending to control endpoint of the device. Here, integer overflow may occur when the ‘img->key_number’ attempts to assign a value that is outside of type range of ‘char’ to the ‘buf[0]’
ca26e85f