Merge pull request #3354 from AlxCzl/fix-mad-cardholder-overread

iceman1001 · web-flow · commit b3f1913f184e · 2026-06-02T20:41:29.000+02:00
Fix buffer over-read in MADCardHolderInfoDecode
diff --git a/client/src/mifare/mad.c b/client/src/mifare/mad.c
@@ -291,12 +291,14 @@ int MADCardHolderInfoDecode(uint8_t *data, size_t datalen, bool verbose) {
         uint8_t len = data[idx] & 0x3f;
         uint8_t type = data[idx] >> 6;
         idx++;
-        if (len > 0) {
-            PrintAndLogEx(INFO, "%14s " _GREEN_("%.*s"), holder_info_type[type], len, &data[idx]);
-            idx += len;
-        } else {
+        if (len == 0)
+            break;
+        if (idx + len > datalen) {
+            PrintAndLogEx(WARNING, "Card holder info truncated (need %u bytes, %zu available)", len, datalen - idx);
             break;
         }
+        PrintAndLogEx(INFO, "%14s " _GREEN_("%.*s"), holder_info_type[type], len, &data[idx]);
+        idx += len;
     }
     return PM3_SUCCESS;
 }

Original file line number	Diff line number	Diff line change
`@@ -291,12 +291,14 @@ int MADCardHolderInfoDecode(uint8_t *data, size_t datalen, bool verbose) {`
`291`	`291`	`uint8_t len = data[idx] & 0x3f;`
`292`	`292`	`uint8_t type = data[idx] >> 6;`
`293`	`293`	`idx++;`
`294`		`- if (len > 0) {`
`295`		`- PrintAndLogEx(INFO, "%14s " _GREEN_("%.*s"), holder_info_type[type], len, &data[idx]);`
`296`		`- idx += len;`
`297`		`- } else {`
	`294`	`+ if (len == 0)`
	`295`	`+ break;`
	`296`	`+ if (idx + len > datalen) {`
	`297`	`+ PrintAndLogEx(WARNING, "Card holder info truncated (need %u bytes, %zu available)", len, datalen - idx);`
`298`	`298`	`break;`
`299`	`299`	`}`
	`300`	`+ PrintAndLogEx(INFO, "%14s " _GREEN_("%.*s"), holder_info_type[type], len, &data[idx]);`
	`301`	`+ idx += len;`
`300`	`302`	`}`
`301`	`303`	`return PM3_SUCCESS;`
`302`	`304`	`}`