fix: ERC1155 batch-transfer UI omits token IDs and per-ID quantities

The ERC1155 safeBatchTransferFrom (0x2eb2c2d6) review path explicitly
skipped copying token IDs (`// don't copy anything since we won't
display it`) and summed every value into a single context->value. The
device then only rendered "<total> from <count> NFT IDs", which let a
malicious dApp slip a high-value token ID into a batch of innocuous
ones without the user being able to detect it on-screen.

Capture the first ERC1155_BATCH_DISPLAY_MAX (id, value) pairs into the
plugin context, render each pair on its own pair of screens, and add
an explicit "WARNING — Only first N of M IDs shown" screen whenever
the batch is larger than what we can surface. The aggregate Total
Quantity screen is preserved.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: cedelavergne-ledger

src/plugins/erc1155/erc1155_plugin.c

@@ -59,7 +59,13 @@ void handle_finalize_1155(ethPluginFinalize_t *msg) {
             msg->numScreens = 5;
             break;
         case SAFE_BATCH_TRANSFER:
-            msg->numScreens = 4;
+            // To, Collection Name, NFT Address, Total Quantity
+            // + 2 screens per displayed pair (ID + Quantity)
+            // + 1 warning screen if truncated.
+            msg->numScreens = 4 + 2 * context->batch_displayed;
+            if (context->batch_truncated) {
+                msg->numScreens += 1;
+            }
             break;
         case SET_APPROVAL_FOR_ALL:
             msg->numScreens = 3;

src/plugins/erc1155/erc1155_plugin.h

@@ -8,6 +8,12 @@
 
 // Internal plugin for EIP 1155: https://eips.ethereum.org/EIPS/eip-1155
 
+// Maximum number of (id, value) pairs surfaced individually during a
+// safeBatchTransferFrom review. Anything beyond this is reported via the
+// aggregate quantity screen plus a truncation warning so the user is told
+// the on-device view is incomplete.
+#define ERC1155_BATCH_DISPLAY_MAX 3
+
 typedef struct erc1155_context_t {
     uint8_t address[ADDRESS_LENGTH];
     uint8_t tokenId[INT256_LENGTH];
@@ -22,6 +28,14 @@ typedef struct erc1155_context_t {
     bool approved;
     uint8_t next_param;
     uint8_t selectorIndex;
+
+    // SAFE_BATCH_TRANSFER review data. Without these, the UI only displayed
+    // an aggregate "<total> from <count> NFT IDs" line and gave the user no
+    // way to detect a high-value token ID hidden among innocuous ones.
+    uint8_t batch_ids[ERC1155_BATCH_DISPLAY_MAX][INT256_LENGTH];
+    uint8_t batch_values[ERC1155_BATCH_DISPLAY_MAX][INT256_LENGTH];
+    uint8_t batch_displayed;
+    bool batch_truncated;
 } erc1155_context_t;
 
 void handle_provide_parameter_1155(ethPluginProvideParameter_t *parameters);

src/plugins/erc1155/erc1155_provide_parameters.c

@@ -63,12 +63,20 @@ static void handle_batch_transfer(ethPluginProvideParameter_t *msg, erc1155_cont
             }
             context->ids_array_len =
                 U2BE(msg->parameter, PARAMETER_LENGTH - sizeof(context->ids_array_len));
+            context->batch_displayed = (context->ids_array_len > ERC1155_BATCH_DISPLAY_MAX)
+                                           ? ERC1155_BATCH_DISPLAY_MAX
+                                           : (uint8_t) context->ids_array_len;
+            context->batch_truncated = context->ids_array_len > ERC1155_BATCH_DISPLAY_MAX;
             context->next_param = TOKEN_ID;
             // set to zero for next step
             context->array_index = 0;
             break;
         case TOKEN_ID:
-            // don't copy anything since we won't display it
+            // Surface the first batch entries to the user so a malicious
+            // batch cannot hide a high-value token ID behind innocuous ones.
+            if (context->array_index < ERC1155_BATCH_DISPLAY_MAX) {
+                memcpy(context->batch_ids[context->array_index], msg->parameter, INT256_LENGTH);
+            }
             if (--context->ids_array_len == 0) {
                 context->next_param = VALUE_LENGTH;
             }
@@ -98,6 +106,12 @@ static void handle_batch_transfer(ethPluginProvideParameter_t *msg, erc1155_cont
         case VALUE:
             // put it temporarily in token id since we don't use it in batch transfer
             copy_parameter(context->tokenId, msg->parameter, sizeof(context->value));
+            // Keep the first per-id values so they pair up with batch_ids
+            // entries on screen. Anything past ERC1155_BATCH_DISPLAY_MAX is
+            // still aggregated into the total below.
+            if (context->array_index < ERC1155_BATCH_DISPLAY_MAX) {
+                memcpy(context->batch_values[context->array_index], msg->parameter, INT256_LENGTH);
+            }
             convertUint256BE(context->tokenId, sizeof(context->tokenId), &new_value);
             add256(&context->value, &new_value, &context->value);
             if (--context->values_array_len == 0) {

src/plugins/erc1155/erc1155_ui.c

@@ -86,11 +86,25 @@ static void set_transfer_ui(ethQueryContractUI_t *msg, erc1155_context_t *contex
     }
 }
 
+// Screen indices for the SAFE_BATCH_TRANSFER review. Fixed-index screens
+// are mapped 1:1 to the enum; per-pair detail screens (PAIR_BASE..) and the
+// truncation warning use dynamic indices computed from batch_displayed.
+enum {
+    BATCH_SCREEN_TO = 0,
+    BATCH_SCREEN_COLLECTION,
+    BATCH_SCREEN_NFT_ADDRESS,
+    BATCH_SCREEN_TOTAL_QUANTITY,
+    BATCH_SCREEN_PAIR_BASE,
+};
+
 static void set_batch_transfer_ui(ethQueryContractUI_t *msg, erc1155_context_t *context) {
     char quantity_str[48];
+    uint8_t idx = msg->screenIndex;
+    uint8_t pair_screens = (uint8_t) (2 * context->batch_displayed);
+    uint8_t warn_idx = (uint8_t) (BATCH_SCREEN_PAIR_BASE + pair_screens);
 
-    switch (msg->screenIndex) {
-        case 0:
+    switch (idx) {
+        case BATCH_SCREEN_TO:
             strlcpy(msg->title, "To", msg->titleLength);
             if (!getEthDisplayableAddress(context->address,
                                           msg->msg,
@@ -99,11 +113,11 @@ static void set_batch_transfer_ui(ethQueryContractUI_t *msg, erc1155_context_t *
                 msg->result = ETH_PLUGIN_RESULT_ERROR;
             }
             break;
-        case 1:
+        case BATCH_SCREEN_COLLECTION:
             strlcpy(msg->title, "Collection Name", msg->titleLength);
             strlcpy(msg->msg, msg->item1->nft.collectionName, msg->msgLength);
             break;
-        case 2:
+        case BATCH_SCREEN_NFT_ADDRESS:
             strlcpy(msg->title, "NFT Address", msg->titleLength);
             if (!getEthDisplayableAddress(msg->item1->nft.contractAddress,
                                           msg->msg,
@@ -112,11 +126,11 @@ static void set_batch_transfer_ui(ethQueryContractUI_t *msg, erc1155_context_t *
                 msg->result = ETH_PLUGIN_RESULT_ERROR;
             }
             break;
-        case 3:
+        case BATCH_SCREEN_TOTAL_QUANTITY:
             strlcpy(msg->title, "Total Quantity", msg->titleLength);
             if (!tostring256(&context->value, 10, &quantity_str[0], sizeof(quantity_str))) {
                 msg->result = ETH_PLUGIN_RESULT_ERROR;
-                break;
+                return;
             }
             snprintf(msg->msg,
                      msg->msgLength,
@@ -125,8 +139,38 @@ static void set_batch_transfer_ui(ethQueryContractUI_t *msg, erc1155_context_t *
                      context->array_index);
             break;
         default:
-            PRINTF("Unsupported screen index %d\n", msg->screenIndex);
-            msg->result = ETH_PLUGIN_RESULT_ERROR;
+            // Per-pair detail screens, then optional truncation warning.
+            if (idx >= BATCH_SCREEN_PAIR_BASE && idx < BATCH_SCREEN_PAIR_BASE + pair_screens) {
+                uint8_t pair_offset = (uint8_t) (idx - BATCH_SCREEN_PAIR_BASE);
+                uint8_t pair_idx = (uint8_t) (pair_offset / 2);
+                bool show_value = (pair_offset % 2) == 1;
+                if (show_value) {
+                    uint256_t v;
+                    convertUint256BE(context->batch_values[pair_idx], INT256_LENGTH, &v);
+                    snprintf(msg->title, msg->titleLength, "Quantity #%d", pair_idx + 1);
+                    if (!tostring256(&v, 10, msg->msg, msg->msgLength)) {
+                        msg->result = ETH_PLUGIN_RESULT_ERROR;
+                    }
+                } else {
+                    snprintf(msg->title, msg->titleLength, "NFT ID #%d", pair_idx + 1);
+                    if (!uint256_to_decimal(context->batch_ids[pair_idx],
+                                            INT256_LENGTH,
+                                            msg->msg,
+                                            msg->msgLength)) {
+                        msg->result = ETH_PLUGIN_RESULT_ERROR;
+                    }
+                }
+            } else if (context->batch_truncated && idx == warn_idx) {
+                strlcpy(msg->title, "WARNING", msg->titleLength);
+                snprintf(msg->msg,
+                         msg->msgLength,
+                         "Only first %d of %d IDs shown",
+                         ERC1155_BATCH_DISPLAY_MAX,
+                         context->array_index);
+            } else {
+                PRINTF("Unsupported screen index %d\n", idx);
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+            }
             break;
     }
 }