potential segmentation fault about adafruit-fingerprint-sensor-library HOT 2 CLOSED

Hello everyone,

I have experienced a manipulation of a local variable caused by buffer overflows in the functions below. The packet array is too short to be used for the reply and hence overrides memory on the stack.

I solved this issue by using another buffer to temporarily store the reply packet.

`uint8_t Adafruit_Fingerprint::getImage(void) {
uint8_t packet[] = {FINGERPRINT_GETIMAGE};
writePacket(theAddress, FINGERPRINT_COMMANDPACKET, 3, packet);
uint8_t len = getReply(packet);

if ((len != 1) && (packet[0] != FINGERPRINT_ACKPACKET))
return -1;
return packet[1];
}

uint8_t Adafruit_Fingerprint::image2Tz(uint8_t slot) {
uint8_t packet[] = {FINGERPRINT_IMAGE2TZ, slot};
writePacket(theAddress, FINGERPRINT_COMMANDPACKET, sizeof(packet)+2, packet);
uint8_t len = getReply(packet);

if ((len != 1) && (packet[0] != FINGERPRINT_ACKPACKET))
return -1;
return packet[1];
}

uint8_t Adafruit_Fingerprint::createModel(void) {
uint8_t packet[] = {FINGERPRINT_REGMODEL};
writePacket(theAddress, FINGERPRINT_COMMANDPACKET, sizeof(packet)+2, packet);
uint8_t len = getReply(packet);

if ((len != 1) && (packet[0] != FINGERPRINT_ACKPACKET))
return -1;
return packet[1];
}

uint8_t Adafruit_Fingerprint::storeModel(uint16_t id) {
uint8_t packet[] = {FINGERPRINT_STORE, 0x01, id >> 8, id & 0xFF};
writePacket(theAddress, FINGERPRINT_COMMANDPACKET, sizeof(packet)+2, packet);
uint8_t len = getReply(packet);

if ((len != 1) && (packet[0] != FINGERPRINT_ACKPACKET))
return -1;
return packet[1];
}`

from adafruit-fingerprint-sensor-library.

hiya you may want to try the latest version we just committed. it fixes many bugs - thx!

from adafruit-fingerprint-sensor-library.