From 01cde802e8fa5f43ee260fd87973753ef95ce249 Mon Sep 17 00:00:00 2001
From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
Date: Sat, 14 Nov 2020 14:00:17 +0100
Subject: [PATCH] Fix a few potential panics.

---
 multipass.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/multipass.rs b/multipass.rs
index 958d189..d3187aa 100644
--- a/multipass.rs
+++ b/multipass.rs
@@ -251,7 +251,7 @@ fn get_readers() -> Result<hyper::Body, Box<dyn std::error::Error>>
 }
 
 fn transmit_apdu(card: &Card, mut apdu: &[u8]) -> Result<String, Box<dyn std::error::Error>> {
-        if apdu[0] == 0xff && apdu[1] == 0xff && apdu[2] == 0x01 && apdu[3] == 0x04 {
+        if apdu.len() >= 11 && apdu[0] == 0xff && apdu[1] == 0xff && apdu[2] == 0x01 && apdu[3] == 0x04 {
             // APDUs with PIN codes are obfuscated (see /getref/ above)
             // with a special extension header used only in scproxy. The format seems to be:
             //
@@ -305,7 +305,7 @@ fn apdureq(reader_name: &str, req: String) -> Result<hyper::Body, Box<dyn std::e
         let apdus = get_apducommands(req.clone())?;
 	let mut any_sensitive = false;
 	for apdu in &apdus {
-		if apdu[0] == 0xff && apdu[1] == 0xff {
+		if apdu.len() >= 2 && apdu[0] == 0xff && apdu[1] == 0xff {
 			any_sensitive = true;
 		}
 	}
-- 
2.39.2