iceman1001
commented
4 years ago Destination array len = 6 char
format template converted would be: %02x %02x = 4 chars
input: sw1, sw2 = 2 bytes.
How do you see a buffer overflow? With the zero terminator, the string could be 5 chars long. Which is less than the 6 chars allocated.
https://github.com/vratiskol/proxmark3/blob/8d9d03f05aea3ddfd2191ee387418b62478b204e/client/emv/apduinfo.c#L286-L291
The size of the buffer used by GetAPDUCode in buf, at line 286 of client\emv\apduinfo.c, is not properly verified before writing data to the buffer. This can enable a buffer overflow attack, using the source buffer that GetAPDUCode passes to "%02X%02X", at line 286 of client\emv\apduinfo.c, to overwrite the target buffer.
Correction: use snprinft