Commit ca26e85f authored by Seong-Joong Kim's avatar Seong-Joong Kim

uru4000: Fix integer overflow in imaging_run_state()

‘img->key_number’ variable is originally from the device through bulk
endpoint of USB. The variable is immediately assigned to ‘buf[0]’ for
sending to control endpoint of the device. Here, integer overflow may
occur when the ‘img->key_number’ attempts to assign a value that is
outside of type range of ‘char’ to the ‘buf[0]’
parent 07143803
Pipeline #21007 passed with stages
in 3 minutes and 10 seconds
...@@ -710,7 +710,7 @@ static void imaging_run_state(fpi_ssm *ssm, struct fp_dev *_dev, void *user_data ...@@ -710,7 +710,7 @@ static void imaging_run_state(fpi_ssm *ssm, struct fp_dev *_dev, void *user_data
uint32_t key; uint32_t key;
uint8_t flags, num_lines; uint8_t flags, num_lines;
int i, r, to, dev2; int i, r, to, dev2;
char buf[5]; unsigned char buf[5];
switch (fpi_ssm_get_cur_state(ssm)) { switch (fpi_ssm_get_cur_state(ssm)) {
case IMAGING_CAPTURE: case IMAGING_CAPTURE:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment