From 02df6ebbf79f0bc10e153d3d81e83bf473f311bb Mon Sep 17 00:00:00 2001
From: iceman1001 <iceman@iuse.se>
Date: Tue, 6 Oct 2020 23:45:04 +0200
Subject: [PATCH] bad memcpy based on size

---
 client/src/mifare/mifarehost.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/client/src/mifare/mifarehost.c b/client/src/mifare/mifarehost.c
index ee714d284..5eb3f6fd7 100644
--- a/client/src/mifare/mifarehost.c
+++ b/client/src/mifare/mifarehost.c
@@ -816,14 +816,16 @@ int mfEmlSetMem_xt(uint8_t *data, int blockNum, int blocksCount, int blockBtWidt
         return PM3_ESOFT;
     }
 
-    struct p *payload = calloc(1, sizeof(struct p) + size);
+    size_t paylen = sizeof(struct p) + size;
+    struct p *payload = calloc(1, paylen);
+    
     payload->blockno = blockNum;
     payload->blockcnt = blocksCount;
     payload->blockwidth = blockBtWidth;
     memcpy(payload->data, data, size);
 
     clearCommandBuffer();
-    SendCommandNG(CMD_HF_MIFARE_EML_MEMSET, (uint8_t *)payload, sizeof(payload) + size);
+    SendCommandNG(CMD_HF_MIFARE_EML_MEMSET, (uint8_t *)payload, paylen);
     free(payload);
     return PM3_SUCCESS;
 }