From d8b0a18752562d4641c99100715a19eb157269a2 Mon Sep 17 00:00:00 2001
From: Romain Tartiere <romain.tartiere@gmail.com>
Date: Sat, 9 Jan 2010 02:55:42 +0000
Subject: [PATCH] Fix invalid memory access in CRC8 computation functions.

---
 libfreefare/mad.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/libfreefare/mad.c b/libfreefare/mad.c
index f263930..8bb989b 100644
--- a/libfreefare/mad.c
+++ b/libfreefare/mad.c
@@ -188,11 +188,15 @@ mad_read (MifareClassicTag tag)
     /* Read MAD data at 0x00 (MAD1, MAD2) */
     if (mifare_classic_read (tag, 0x01, &data) < 0)
 	goto error;
-    memcpy (&(mad->sector_0x00), data, sizeof (data));
+
+    uint8_t *p = (uint8_t *) &(mad->sector_0x00);
+    memcpy (p, data, sizeof (data));
+
+    p+= sizeof (data);
 
     if (mifare_classic_read (tag, 0x02, &data) < 0)
 	goto error;
-    memcpy (&(mad->sector_0x00) + sizeof (data), data, sizeof (data));
+    memcpy (p, data, sizeof (data));
 
     uint8_t crc = mad->sector_0x00.crc;
     uint8_t computed_crc = sector_0x00_crc8 (mad);
@@ -207,17 +211,23 @@ mad_read (MifareClassicTag tag)
 	    goto error;
 	}
 
+	p = (uint8_t *) &(mad->sector_0x10);
+
 	if (mifare_classic_read (tag, 0x40, &data) < 0)
 	    goto error;
-	memcpy (&(mad->sector_0x10), data, sizeof (data));
+	memcpy (p, data, sizeof (data));
+
+	p += sizeof (data);
 
 	if (mifare_classic_read (tag, 0x41, &data) < 0)
 	    goto error;
-	memcpy (&(mad->sector_0x10) + sizeof (data), data, sizeof (data));
+	memcpy (p, data, sizeof (data));
+
+	p += sizeof (data);
 
 	if (mifare_classic_read (tag, 0x42, &data) < 0)
 	    goto error;
-	memcpy (&(mad->sector_0x10) + sizeof (data) * 2, data, sizeof (data));
+	memcpy (p, data, sizeof (data));
 
 	crc = mad->sector_0x10.crc;
 	computed_crc = sector_0x10_crc8 (mad);