Merge pull request #3353 from AlxCzl/fix-mad1-loop-oob

iceman1001 · web-flow · commit 458acf4fc63e · 2026-06-02T20:43:48.000+02:00
Fix MAD1 off-by-one in MADDecode: loop read Key A as 16th AID
diff --git a/client/src/mifare/mad.c b/client/src/mifare/mad.c
@@ -264,8 +264,7 @@ int MADDecode(uint8_t *sector0, uint8_t *sector16, uint16_t *mad, size_t *madlen
         PrintAndLogEx(INFO, "overriding crc check");
     }
 
-    // 7 + 8 == 15
-    for (int i = 1; i <= 16; i++) {
+    for (int i = 1; i < 16; i++) {
         mad[*madlen] = madGetAID(sector0, swapmad, 1, i);
         (*madlen)++;
     }
diff --git a/client/src/mifare/mad.h b/client/src/mifare/mad.h
@@ -21,8 +21,8 @@
 
 #include "common.h"
 
-// 16 MAD1 AIDs + 1 MAD2 marker (0x0005) + 23 MAD2 AIDs = 40
-#define MAD_MAX_AID_ENTRIES 40
+// 15 MAD1 AIDs (sectors 1-15) + 1 MAD2 marker (0x0005) + 23 MAD2 AIDs (sectors 17-39) = 39
+#define MAD_MAX_AID_ENTRIES 39
 
 int MADCheck(uint8_t *sector0, uint8_t *sector16, bool verbose, bool *haveMAD2);
 int MADDecode(uint8_t *sector0, uint8_t *sector16, uint16_t *mad, size_t *madlen, bool swapmad, bool override);

Original file line number	Diff line number	Diff line change
`@@ -264,8 +264,7 @@ int MADDecode(uint8_t sector0, uint8_t sector16, uint16_t mad, size_t madlen`
`264`	`264`	`PrintAndLogEx(INFO, "overriding crc check");`
`265`	`265`	`}`
`266`	`266`
`267`		`- // 7 + 8 == 15`
`268`		`- for (int i = 1; i <= 16; i++) {`
	`267`	`+ for (int i = 1; i < 16; i++) {`
`269`	`268`	`mad[*madlen] = madGetAID(sector0, swapmad, 1, i);`
`270`	`269`	`(*madlen)++;`
`271`	`270`	`}`