From 94f3619b2efbb852c4fc0cb42b20755bc7bf380b Mon Sep 17 00:00:00 2001
From: Ludovic Rousseau <ludovic.rousseau@free.fr>
Date: Sat, 8 Aug 2020 16:45:17 +0200
Subject: [PATCH 5/6] PPS_Match: fix potential read of uninitialized buffer

Thanks to Maksim Ivanov for the bug report
"[Pcsclite-muscle] Insufficient checks in CCID"
http://lists.infradead.org/pipermail/pcsclite-muscle/2020-August/001098.html

" Hello,

The CCID free software driver is missing a few checks and graceful
handling of some error cases:

7. Read of uninitialized buffer in PPS_Match() at
https://salsa.debian.org/rousseau/CCID/-/blob/4d5cbf703c268b31c734931166c52dcb9920c0fe/src/towitoko/pps.c#L101
- in case |len_confirm| is unexpectedly small. "
---
 src/towitoko/pps.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/towitoko/pps.c b/src/towitoko/pps.c
index d3b9bda..82b5915 100644
--- a/src/towitoko/pps.c
+++ b/src/towitoko/pps.c
@@ -98,7 +98,9 @@ PPS_Match (BYTE * request, unsigned len_request, BYTE * confirm, unsigned len_co
     return FALSE;
 
   /* See if the card specifies other than default FI and D */
-  if ((PPS_HAS_PPS1 (confirm)) && (confirm[2] != request[2]))
+  if ((PPS_HAS_PPS1 (confirm))
+		&& (len_confirm > 2)
+		&& (confirm[2] != request[2]))
     return FALSE;
 
   return TRUE;
-- 
1.8.3.1