Hi Alan, Thanks for your e-mail and patch.
I expect it to be in worst case some re-used memory of libfprint, so it's not really a security leak, since the only sensitive information is saved to the disk. But I'll take your patch. Regards, Vasily On Thu, Aug 18, 2016 at 3:01 PM, Alan Davidson <a...@key.me> wrote: > Hi libfprint folks - > > I was enrolling fingerprints and saving the data to files (using > fp_print_data_get_data), when I noticed that the data section for the > minutiae had interesting stuff in the unused parts. This is to say, the > xyt_struct (from bozorth.h) allocates space for 200 minutiae, and if I only > use 50 of them, the other 150 are still allocated and have stuff in them. > These values come from things that were previously allocated and deallocated > on the heap, and the data is still there because it wasn't zeroed out when > we re-allocated it. > > I think it should be zeroed out, to prevent leaking whatever used to be in > this memory. What do you think? It's a very easy change; see the commit at > [1], though I'm unclear how to transfer it to your repo. Without this > change, enrolled fingerprints saved to file on my computer have non-null > data in the unused minutiae, and with it, all the unused minutiae are full > of null bytes. > > A little more detail: this happens in fpi_img_to_print_data (in img.c), when > we create a new item to store the minutiae in xyt format. The data is later > copied wholesale into the output buffer in fp_print_data_get_data. > > Thanks for taking a look! > > - Alan > > [1] > https://github.com/keyme/libfprint/commit/1b71aff9ea389c427f9f8bfaabf8aa0acde37269 > > _______________________________________________ > fprint mailing list > fprint@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/fprint > _______________________________________________ fprint mailing list fprint@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/fprint
