From 5b51f9c8ccf33424636e4e32cb6205204e816940 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Mon, 8 Jun 2026 13:47:41 +0200
Subject: [PATCH] egis_etu905: Sanitize print data parsing

---
 libfprint/drivers/egismoc/egis_etu905.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/libfprint/drivers/egismoc/egis_etu905.c b/libfprint/drivers/egismoc/egis_etu905.c
index c9b9ab3a..0a5655f1 100644
--- a/libfprint/drivers/egismoc/egis_etu905.c
+++ b/libfprint/drivers/egismoc/egis_etu905.c
@@ -318,7 +318,7 @@ static guint16
 egis_etu905_get_check_bytes (FpiByteReader *reader)
 {
   fp_dbg ("Get check bytes");
-  size_t sum_values = 0;
+  guint64 sum_values = 0;
   guint16 val;
 
   fpi_byte_reader_set_pos (reader, 0);
@@ -562,8 +562,6 @@ egis_etu905_get_delete_cmd (FpDevice *device,
   const guchar *print_data_id = NULL;
   gsize print_data_id_len = 0;
   g_autofree gchar *print_description = NULL;
-  g_autofree guchar *enrolled_print_id = NULL;
-  g_autofree guchar *result = NULL;
   gboolean written = TRUE;
 
   /*
@@ -639,7 +637,8 @@ egis_etu905_get_delete_cmd (FpDevice *device,
       g_object_get (delete_print, "description", &print_description, NULL);
       g_object_get (delete_print, "fpi-data", &print_data, NULL);
 
-      if (!g_variant_check_format_string (print_data, "(@ay)", FALSE))
+      if (!print_data ||
+          !g_variant_check_format_string (print_data, "(@ay)", FALSE))
         {
           fpi_ssm_mark_failed (self->task_ssm,
                                fpi_device_error_new (FP_DEVICE_ERROR_DATA_INVALID));
@@ -650,11 +649,21 @@ egis_etu905_get_delete_cmd (FpDevice *device,
       print_data_id = g_variant_get_fixed_array (print_data_id_var,
                                                  &print_data_id_len, sizeof (guchar));
 
-      if (!g_str_has_prefix (print_description, "FP"))
-        fp_dbg ("Fingerprint '%s' was not created by libfprint; deleting anyway.",
-                print_description);
+      if (print_data_id_len != EGIS_ETU905_FINGERPRINT_DATA_SIZE)
+        {
+          fpi_ssm_mark_failed (self->task_ssm,
+                               fpi_device_error_new_msg (FP_DEVICE_ERROR_DATA_INVALID,
+                                                         "Stored print id has "
+                                                         "unexpected length %zu",
+                                                         print_data_id_len));
+          return NULL;
+        }
 
-      fp_info ("Delete fingerprint %s", print_description);
+      if (!print_description || !g_str_has_prefix (print_description, "FP"))
+        fp_dbg ("Fingerprint '%s' was not created by libfprint; deleting anyway.",
+                print_description ? print_description : "(null)");
+
+      fp_info ("Delete fingerprint %s", print_description ? print_description : "(null)");
 
       written &= fpi_byte_writer_put_data (&writer, print_data_id,
                                            EGIS_ETU905_FINGERPRINT_DATA_SIZE);