EIP712 STRUCT FIELD IMPL now checks the APDU payload bounds

src_features/signMessageEIP712/commands_712.c

@@ -116,7 +116,8 @@ bool    handle_eip712_struct_impl(const uint8_t *const apdu_buf)
                 }
                 break;
             case P2_ARRAY:
-                ret = path_new_array_depth(apdu_buf[OFFSET_CDATA]);
+                ret = path_new_array_depth(&apdu_buf[OFFSET_CDATA],
+                                           apdu_buf[OFFSET_LC]);
                 break;
             default:
                 PRINTF("Unknown P2 0x%x for APDU 0x%x\n",

src_features/signMessageEIP712/field_hash.c

@@ -296,6 +296,11 @@ bool    field_hash(const uint8_t *data,
     {
         data = field_hash_prepare(field_ptr, data, &data_length);
     }
+    if (data_length > fh->remaining_size)
+    {
+        apdu_response_code = APDU_RESPONSE_INVALID_DATA;
+        return false;
+    }
     fh->remaining_size -= data_length;
     // if a dynamic type -> continue progressive hash
     if (IS_DYN(field_type))

src_features/signMessageEIP712/path.c

@@ -442,19 +442,14 @@ bool    path_set_root(const char *const struct_name, uint8_t name_length)
  * @return whether the checks and add were successful or not
  */
 static bool check_and_add_array_depth(const void *depth,
-                                 uint8_t total_count,
-                                 uint8_t pidx,
-                                 uint8_t size)
+                                      uint8_t total_count,
+                                      uint8_t pidx,
+                                      uint8_t size)
 {
     uint8_t expected_size;
     uint8_t arr_idx;
     e_array_type expected_type;
 
-    if (path_struct == NULL)
-    {
-        apdu_response_code = APDU_RESPONSE_CONDITION_NOT_SATISFIED;
-        return false;
-    }
     arr_idx = (total_count - path_struct->array_depth_count) - 1;
     // we skip index 0, since we already have it
     for (uint8_t idx = 1; idx < (arr_idx + 1); ++idx)
@@ -483,10 +478,12 @@ static bool check_and_add_array_depth(const void *depth,
 /**
  * Add a new array depth with a given size (number of elements).
  *
- * @param[in] size number of elements
+ * @param[in] data pointer to the number of elements
+ * @param[in] length length of data
  * @return whether the add was successful or not
  */
-bool    path_new_array_depth(uint8_t size)
+bool    path_new_array_depth(const uint8_t *const data,
+                             uint8_t length)
 {
     const void *field_ptr = NULL;
     const void *depth = NULL;
@@ -497,6 +494,12 @@ bool    path_new_array_depth(uint8_t size)
 
     if (path_struct == NULL)
     {
+        apdu_response_code = APDU_RESPONSE_CONDITION_NOT_SATISFIED;
+        return false;
+    }
+    else if (length != 1)
+    {
+        apdu_response_code = APDU_RESPONSE_INVALID_DATA;
         return false;
     }
 
@@ -517,7 +520,7 @@ bool    path_new_array_depth(uint8_t size)
             total_count += depth_count;
             if (total_count > path_struct->array_depth_count)
             {
-                if (!check_and_add_array_depth(depth, total_count, pidx, size))
+                if (!check_and_add_array_depth(depth, total_count, pidx, *data))
                 {
                     return false;
                 }

src_features/signMessageEIP712/path.h

@@ -36,7 +36,8 @@ const void  *path_get_field(void);
 bool    path_advance(void);
 bool    path_init(void);
 void    path_deinit(void);
-bool    path_new_array_depth(uint8_t size);
+bool    path_new_array_depth(const uint8_t *const data,
+                             uint8_t length);
 e_root_type path_get_root_type(void);
 const void  *path_get_root(void);
 const void *path_get_nth_field(uint8_t n);