From 98552b54dc6087043694be0cc755d4d80eb8a180 Mon Sep 17 00:00:00 2001
From: iceman1001 <iceman@iuse.se>
Date: Tue, 24 Mar 2026 12:56:26 +0700
Subject: [PATCH] fix mac_input_idx to possible overflow u8,   and some sanity
 checks that what we got doesnt overflow when we copy it into cmac calcs

---
 armsrc/seos.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/armsrc/seos.c b/armsrc/seos.c
index 27b1932a4..520cf6d65 100644
--- a/armsrc/seos.c
+++ b/armsrc/seos.c
@@ -276,6 +276,7 @@ void SimulateSeos(seos_emulate_req_t *msg) {
             if (odd_reply) {
                 p_response = &responses[RESP_INDEX_ATQA];
             }
+
         } else if (receivedCmd[0] == ISO14443A_CMD_WUPA && len == 1) { // Received a WAKEUP
             p_response = &responses[RESP_INDEX_ATQA];
         } else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 2) {    // Received request for UID (cascade 1)
@@ -301,6 +302,7 @@ void SimulateSeos(seos_emulate_req_t *msg) {
             p_response = &responses[RESP_INDEX_ATS];
             got_rats = true;
         } else {
+
             // clear old dynamic responses
             dynamic_response_info.response_n = 0;
             dynamic_response_info.modulation_n = 0;
@@ -656,13 +658,17 @@ void SimulateSeos(seos_emulate_req_t *msg) {
                                 memcpy(rndCounter, RND_ICC, half_bs);
                                 memcpy(rndCounter + half_bs, RND_IFD, half_bs);
 
+                                // skip zero bytes
                                 for (int8_t i = bs - 1; i >= 0; i--) {
                                     rndCounter[i]++;
-                                    if (rndCounter[i] != 0x00) break;
+
+                                    if (rndCounter[i]) {
+                                        break;
+                                    }
                                 }
 
                                 uint8_t *mac_input = work_buffer_a;
-                                uint8_t mac_input_idx = 0;
+                                uint16_t mac_input_idx = 0;
 
                                 // Add RND_* counter to mac_input
                                 memcpy(mac_input + mac_input_idx, rndCounter, bs);
@@ -676,6 +682,10 @@ void SimulateSeos(seos_emulate_req_t *msg) {
                                 mac_input_idx += bs;
 
                                 // Add received TLV data to mac_input
+                                if (mac_input_idx + recvd_cmac_offset + bs > WORK_BUFFER_SIZE) {
+                                    Dbprintf(_RED_("Get Data failed") ": CMAC input too large.");
+                                    break;
+                                }
                                 memcpy(mac_input + mac_input_idx, received_tlv, recvd_cmac_offset);
                                 mac_input_idx += recvd_cmac_offset;
 
@@ -770,6 +780,10 @@ void SimulateSeos(seos_emulate_req_t *msg) {
 
                                 memcpy(mac_input + mac_input_idx, rndCounter, bs);
                                 mac_input_idx += bs;
+                                if (mac_input_idx + (tlv_idx - tlv_base) + bs > WORK_BUFFER_SIZE) {
+                                    Dbprintf(_RED_("Get Data failed") ": Reply CMAC input too large.");
+                                    break;
+                                }
                                 memcpy(mac_input + mac_input_idx, dynamic_response_info.response + tlv_base, tlv_idx - tlv_base);
                                 mac_input_idx += tlv_idx - tlv_base;