From e31a0f736ed6cedd58437e686f3ba651935df527 Mon Sep 17 00:00:00 2001
From: Alexis Green <alexis@cessp.it>
Date: Tue, 2 Aug 2016 14:10:33 -0700
Subject: [PATCH] FIX: LEGIC - potential stack corruption calculating CRC from
 user input

---
 client/cmdhflegic.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c
index d55ea98d..91682581 100644
--- a/client/cmdhflegic.c
+++ b/client/cmdhflegic.c
@@ -570,23 +570,36 @@ int CmdLegicCalcCrc8(const char *Cmd){
 	uint8_t cmdp = 0, uidcrc = 0, type=0;
 	bool errors = false;
 	int len = 0;
+	int bg, en;
 	
 	while(param_getchar(Cmd, cmdp) != 0x00) {
 		switch(param_getchar(Cmd, cmdp)) {
 		case 'b':
 		case 'B':
+			// peek at length of the input string so we can
+			// figure out how many elements to malloc in "data"
+			bg=en=0;
+			param_getptr(Cmd, &bg, &en, cmdp+1);
+			len = (en - bg + 1);
+
+			// check that user entered even number of characters
+			// for hex data string
+			if (len & 1) {
+				errors = true;
+				break;
+			}
+
 			// it's possible for user to accidentally enter "b" parameter
 			// more than once - we have to clean previous malloc
 			if (data) free(data);
-			data = malloc(len);
+			data = malloc(len >> 1);
 			if ( data == NULL ) {
 				PrintAndLog("Can't allocate memory. exiting");
 				errors = true;
 				break;
-			}			
-			param_gethex_ex(Cmd, cmdp+1, data, &len);
-			// if odd symbols, (hexbyte must be two symbols)
-			if ( len & 1 ) errors = true;
+			}
+			
+			param_gethex(Cmd, cmdp+1, data, len);
 
 			len >>= 1;	
 			cmdp += 2;
-- 
2.39.2