From 5a597fe4d6985d661ac6c06391b1893bc26cc81d Mon Sep 17 00:00:00 2001
From: Alex Zeffertt <alex.zeffertt@gmail.com>
Date: Tue, 16 Mar 2021 10:22:59 +0000
Subject: [PATCH] Check length byte in readDetectedPassiveTargetID() before
 using it

... and potentially corrupting caller memory.
---
 Adafruit_PN532.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Adafruit_PN532.cpp b/Adafruit_PN532.cpp
index 3900c05..2a8bc1b 100644
--- a/Adafruit_PN532.cpp
+++ b/Adafruit_PN532.cpp
@@ -603,13 +603,15 @@ bool Adafruit_PN532::readDetectedPassiveTargetID(uint8_t *uid,
   PN532DEBUGPRINT.print(F("SAK: 0x"));
   PN532DEBUGPRINT.println(pn532_packetbuffer[11], HEX);
 #endif
+  if (pn532_packetbuffer[12] > 7)
+    return 0;
 
   /* Card appears to be Mifare Classic */
   *uidLength = pn532_packetbuffer[12];
 #ifdef MIFAREDEBUG
   PN532DEBUGPRINT.print(F("UID:"));
 #endif
-  for (uint8_t i = 0; i < pn532_packetbuffer[12]; i++) {
+  for (uint8_t i = 0; i < *uidLength; i++) {
     uid[i] = pn532_packetbuffer[13 + i];
 #ifdef MIFAREDEBUG
     PN532DEBUGPRINT.print(F(" 0x"));