From 7c240753a204038c0ba863101f895b8c31237992 Mon Sep 17 00:00:00 2001
From: Philippe Teuwen <phil@teuwen.org>
Date: Sun, 27 Feb 2022 14:22:38 +0100
Subject: [PATCH] 14a, 15, hf: Fix codeql warnings

---
 client/src/cmdhf.c    | 2 +-
 client/src/cmdhf14a.c | 5 +++++
 client/src/cmdhf15.c  | 4 ++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/client/src/cmdhf.c b/client/src/cmdhf.c
index 1e29eb139..5b0dbba39 100644
--- a/client/src/cmdhf.c
+++ b/client/src/cmdhf.c
@@ -241,7 +241,7 @@ int CmdHFTune(const char *Cmd) {
     print_progress(0, max, style);
 
     // loop forever (till button pressed) if iter = 0 (default)
-    for (uint8_t i = 0; iter == 0 || i < iter; i++) {
+    for (uint32_t i = 0; iter == 0 || i < iter; i++) {
         if (kbd_enter_pressed()) {
             break;
         }
diff --git a/client/src/cmdhf14a.c b/client/src/cmdhf14a.c
index 0f7a2ccc3..28f82ab31 100644
--- a/client/src/cmdhf14a.c
+++ b/client/src/cmdhf14a.c
@@ -2651,6 +2651,11 @@ int CmdHF14ANdefRead(const char *Cmd) {
         DropField();
         return PM3_EMALLOC;
     }
+    if (ndef_size + offset > 0xFFFF) {
+        PrintAndLogEx(ERR, "NDEF size abnormally large in CmdHF14ANdef(). Aborting...\n");
+        DropField();
+        return PM3_EOVFLOW;
+    }
     for (uint16_t i = offset; i < ndef_size + offset; i += max_rapdu_size) {
         uint16_t segment_size = max_rapdu_size < ndef_size + offset - i ? max_rapdu_size : ndef_size + offset - i;
         keep_field_on = i < ndef_size + offset - max_rapdu_size;
diff --git a/client/src/cmdhf15.c b/client/src/cmdhf15.c
index 8bd79cb76..9bd0d3f0a 100644
--- a/client/src/cmdhf15.c
+++ b/client/src/cmdhf15.c
@@ -1937,7 +1937,7 @@ static int CmdHF15Restore(const char *Cmd) {
     int fnlen = 0;
     char filename[FILE_PATH_SIZE] = {0};
     CLIParamStrToBuf(arg_get_str(ctx, 6), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
-    int retries = arg_get_int_def(ctx, 7, 3);
+    uint32_t retries = arg_get_u32_def(ctx, 7, 3);
     int blocksize = arg_get_int_def(ctx, 8, 4);
     bool verbose = arg_get_lit(ctx, 9);
     CLIParserFree(ctx);
@@ -2040,7 +2040,7 @@ static int CmdHF15Restore(const char *Cmd) {
         memcpy(req + reqlen + 1, data + bytes, blocksize);
         AddCrc15(req, reqlen + 1 + blocksize);
 
-        uint8_t tried = 0;
+        uint32_t tried = 0;
         for (tried = 0; tried < retries; tried++) {
 
             retval = hf_15_write_blk(verbose, fast, req, (reqlen + 1 + blocksize + 2));