NFC: Fix crash on ISO15693-3 save when memory is empty or cannot be read (#4165)

* NFC: Possibly fix ISO15693-3 save crash with no data * Also prevent malloc(0) if block size or count is 0 --------- Co-authored-by: hedger <hedger@users.noreply.github.com>
2025-12-12 04:41:26 +04:00 · 2025-03-31 16:59:12 +00:00
parent 6962e9ce34
commit 17759a9e4b
3 changed files with 45 additions and 39 deletions
--- a/lib/nfc/protocols/iso15693_3/iso15693_3.c
+++ b/lib/nfc/protocols/iso15693_3/iso15693_3.c
@@ -173,33 +173,35 @@ bool iso15693_3_load(Iso15693_3Data* data, FlipperFormat* ff, uint32_t version)

        if(flipper_format_key_exist(ff, ISO15693_3_BLOCK_COUNT_KEY) &&
           flipper_format_key_exist(ff, ISO15693_3_BLOCK_SIZE_KEY)) {
+            data->system_info.flags |= ISO15693_3_SYSINFO_FLAG_MEMORY;
+
            uint32_t block_count;
            if(!flipper_format_read_uint32(ff, ISO15693_3_BLOCK_COUNT_KEY, &block_count, 1)) break;
-
            data->system_info.block_count = block_count;
-            data->system_info.flags |= ISO15693_3_SYSINFO_FLAG_MEMORY;

            if(!flipper_format_read_hex(
                   ff, ISO15693_3_BLOCK_SIZE_KEY, &(data->system_info.block_size), 1))
                break;

-            simple_array_init(
-                data->block_data, data->system_info.block_size * data->system_info.block_count);
-
-            if(!flipper_format_read_hex(
-                   ff,
-                   ISO15693_3_DATA_CONTENT_KEY,
-                   simple_array_get_data(data->block_data),
-                   simple_array_get_count(data->block_data)))
-                break;
-
-            if(flipper_format_key_exist(ff, ISO15693_3_SECURITY_STATUS_KEY)) {
+            if(data->system_info.block_count > 0 && data->system_info.block_size > 0) {
+                simple_array_init(
+                    data->block_data,
+                    data->system_info.block_size * data->system_info.block_count);
                simple_array_init(data->block_security, data->system_info.block_count);

-                const bool security_loaded = has_lock_bits ?
-                                                 iso15693_3_load_security(data, ff) :
-                                                 iso15693_3_load_security_legacy(data, ff);
-                if(!security_loaded) break;
+                if(!flipper_format_read_hex(
+                       ff,
+                       ISO15693_3_DATA_CONTENT_KEY,
+                       simple_array_get_data(data->block_data),
+                       simple_array_get_count(data->block_data)))
+                    break;
+
+                if(flipper_format_key_exist(ff, ISO15693_3_SECURITY_STATUS_KEY)) {
+                    const bool security_loaded = has_lock_bits ?
+                                                     iso15693_3_load_security(data, ff) :
+                                                     iso15693_3_load_security_legacy(data, ff);
+                    if(!security_loaded) break;
+                }
            }
        }

@@ -260,22 +262,24 @@ bool iso15693_3_save(const Iso15693_3Data* data, FlipperFormat* ff) {
                   ff, ISO15693_3_BLOCK_SIZE_KEY, &data->system_info.block_size, 1))
                break;

-            if(!flipper_format_write_hex(
-                   ff,
-                   ISO15693_3_DATA_CONTENT_KEY,
-                   simple_array_cget_data(data->block_data),
-                   simple_array_get_count(data->block_data)))
-                break;
+            if(data->system_info.block_count > 0 && data->system_info.block_size > 0) {
+                if(!flipper_format_write_hex(
+                       ff,
+                       ISO15693_3_DATA_CONTENT_KEY,
+                       simple_array_cget_data(data->block_data),
+                       simple_array_get_count(data->block_data)))
+                    break;

-            if(!flipper_format_write_comment_cstr(
-                   ff, "Block Security Status: 01 = locked, 00 = not locked"))
-                break;
-            if(!flipper_format_write_hex(
-                   ff,
-                   ISO15693_3_SECURITY_STATUS_KEY,
-                   simple_array_cget_data(data->block_security),
-                   simple_array_get_count(data->block_security)))
-                break;
+                if(!flipper_format_write_comment_cstr(
+                       ff, "Block Security Status: 01 = locked, 00 = not locked"))
+                    break;
+                if(!flipper_format_write_hex(
+                       ff,
+                       ISO15693_3_SECURITY_STATUS_KEY,
+                       simple_array_cget_data(data->block_security),
+                       simple_array_get_count(data->block_security)))
+                    break;
+            }
        }
        saved = true;
    } while(false);
--- a/lib/nfc/protocols/iso15693_3/iso15693_3_poller_i.c
+++ b/lib/nfc/protocols/iso15693_3/iso15693_3_poller_i.c
@@ -100,10 +100,12 @@ Iso15693_3Error iso15693_3_poller_activate(Iso15693_3Poller* instance, Iso15693_
            break;
        }

-        if(system_info->block_count > 0) {
-            // Read blocks: Optional command
+        if(system_info->block_count > 0 && system_info->block_size > 0) {
            simple_array_init(
                data->block_data, system_info->block_count * system_info->block_size);
+            simple_array_init(data->block_security, system_info->block_count);
+
+            // Read blocks: Optional command
            ret = iso15693_3_poller_read_blocks(
                instance,
                simple_array_get_data(data->block_data),
@@ -115,8 +117,6 @@ Iso15693_3Error iso15693_3_poller_activate(Iso15693_3Poller* instance, Iso15693_
            }

            // Get block security status: Optional command
-            simple_array_init(data->block_security, system_info->block_count);
-
            ret = iso15693_3_poller_get_blocks_security(
                instance, simple_array_get_data(data->block_security), system_info->block_count);
            if(ret != Iso15693_3ErrorNone) {