From 6b9ecfcb638d403a0c63478080bd3c8de6dbc092 Mon Sep 17 00:00:00 2001
From: Philippe Teuwen <phil@teuwen.org>
Date: Sat, 5 Feb 2022 11:10:21 +0100
Subject: [PATCH] fix ATS parsing length checks, forgot CRC...

---
 client/src/cmdhf14a.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/client/src/cmdhf14a.c b/client/src/cmdhf14a.c
index cb2d1e6d2..437e4d604 100644
--- a/client/src/cmdhf14a.c
+++ b/client/src/cmdhf14a.c
@@ -1849,7 +1849,7 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) {
         PrintAndLogEx(SUCCESS, "ATS: " _YELLOW_("%s")"[ %02x %02x ]", sprint_hex(card.ats, card.ats_len - 2), card.ats[card.ats_len - 1], card.ats[card.ats_len]);
         PrintAndLogEx(INFO, "     " _YELLOW_("%02x") "...............  TL    length is " _GREEN_("%d") " bytes", card.ats[0], card.ats[0]);
 
-        if ((card.ats[0] > 1) && (card.ats_len > 1)) { // there is a format byte (T0)
+        if ((card.ats[0] > 1) && (card.ats_len > 3)) { // there is a format byte (T0)
             ta1 = (card.ats[1] & 0x10) == 0x10;
             tb1 = (card.ats[1] & 0x20) == 0x20;
             tc1 = (card.ats[1] & 0x40) == 0x40;
@@ -1866,7 +1866,7 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) {
                          );
         }
         int pos = 2;
-        if (ta1 && (card.ats_len > pos)) {
+        if (ta1 && (card.ats_len > pos + 2)) {
             char dr[16], ds[16];
             dr[0] = ds[0] = '\0';
             if (card.ats[pos] & 0x10) strcat(ds, "2, ");
@@ -1888,7 +1888,7 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) {
             pos++;
         }
 
-        if (tb1 && (card.ats_len > pos)) {
+        if (tb1 && (card.ats_len > pos + 2)) {
             uint32_t sfgi = card.ats[pos] & 0x0F;
             uint32_t fwi = card.ats[pos] >> 4;
 
@@ -1903,7 +1903,7 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) {
             pos++;
         }
 
-        if (tc1 && (card.ats_len > pos)) {
+        if (tc1 && (card.ats_len > pos + 2)) {
             PrintAndLogEx(INFO, "                 " _YELLOW_("%02X") "...  TC1   NAD is%s supported, CID is%s supported",
                           card.ats[pos],
                           (card.ats[pos] & 0x01) ? "" : _RED_(" NOT"),
@@ -1913,7 +1913,7 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) {
         }
 
         // ATS - Historial bytes and identify based on it
-        if (card.ats[0] > pos && card.ats[0] <=  card.ats_len - 2) {
+        if ((card.ats[0] > pos) && (card.ats_len >= card.ats[0] + 2)) {
             char tip[60];
             tip[0] = '\0';
             if (card.ats[0] - pos >= 7) {