From 7380eacf0e52d259a71cfe5d63c7b8b640b0a666 Mon Sep 17 00:00:00 2001
From: WillyJL <willy.leslie@icloud.com>
Date: Tue, 23 Sep 2025 15:43:45 +0200
Subject: [PATCH] NFC: Fix read crash with unexpectedly large MFC AUTH(0)
 response (#4265)

This was noticeable with Chameleon Ultra NTAG emulation

Co-authored-by: hedger <hedger@users.noreply.github.com>
---
 lib/nfc/protocols/iso14443_3a/iso14443_3a_poller_i.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/nfc/protocols/iso14443_3a/iso14443_3a_poller_i.c b/lib/nfc/protocols/iso14443_3a/iso14443_3a_poller_i.c
index 2cf66edba5..5795c1bfab 100644
--- a/lib/nfc/protocols/iso14443_3a/iso14443_3a_poller_i.c
+++ b/lib/nfc/protocols/iso14443_3a/iso14443_3a_poller_i.c
@@ -42,7 +42,13 @@ static Iso14443_3aError iso14443_3a_poller_standard_frame_exchange(
             break;
         }
 
+        if(bit_buffer_get_capacity_bytes(rx_buffer) <
+           bit_buffer_get_size_bytes(instance->rx_buffer)) {
+            ret = Iso14443_3aErrorBufferOverflow;
+            break;
+        }
         bit_buffer_copy(rx_buffer, instance->rx_buffer);
+
         if(!iso14443_crc_check(Iso14443CrcTypeA, instance->rx_buffer)) {
             ret = Iso14443_3aErrorWrongCrc;
             break;