Fix buffer over-read in MADCardHolderInfoDecode

AlxCzl · AlxCzl · commit 10cd87175d78 · 2026-06-02T19:04:11.000+02:00
diff --git a/client/src/mifare/mad.c b/client/src/mifare/mad.c
@@ -289,12 +289,14 @@ int MADCardHolderInfoDecode(uint8_t *data, size_t datalen, bool verbose) {
         uint8_t len = data[idx] & 0x3f;
         uint8_t type = data[idx] >> 6;
         idx++;
-        if (len > 0) {
-            PrintAndLogEx(INFO, "%14s " _GREEN_("%.*s"), holder_info_type[type], len, &data[idx]);
-            idx += len;
-        } else {
+        if (len == 0)
+            break;
+        if (idx + len > datalen) {
+            PrintAndLogEx(WARNING, "Card holder info truncated (need %u bytes, %zu available)", len, datalen - idx);
             break;
         }
+        PrintAndLogEx(INFO, "%14s " _GREEN_("%.*s"), holder_info_type[type], len, &data[idx]);
+        idx += len;
     }
     return PM3_SUCCESS;
 }

Original file line number	Diff line number	Diff line change
`@@ -289,12 +289,14 @@ int MADCardHolderInfoDecode(uint8_t *data, size_t datalen, bool verbose) {`
`289`	`289`	`uint8_t len = data[idx] & 0x3f;`
`290`	`290`	`uint8_t type = data[idx] >> 6;`
`291`	`291`	`idx++;`
`292`		`- if (len > 0) {`
`293`		`- PrintAndLogEx(INFO, "%14s " _GREEN_("%.*s"), holder_info_type[type], len, &data[idx]);`
`294`		`- idx += len;`
`295`		`- } else {`
	`292`	`+ if (len == 0)`
	`293`	`+ break;`
	`294`	`+ if (idx + len > datalen) {`
	`295`	`+ PrintAndLogEx(WARNING, "Card holder info truncated (need %u bytes, %zu available)", len, datalen - idx);`
`296`	`296`	`break;`
`297`	`297`	`}`
	`298`	`+ PrintAndLogEx(INFO, "%14s " _GREEN_("%.*s"), holder_info_type[type], len, &data[idx]);`
	`299`	`+ idx += len;`
`298`	`300`	`}`
`299`	`301`	`return PM3_SUCCESS;`
`300`	`302`	`}`