Fix multiple vulnerabilities

src_features/signMessageEIP712/cmd_signMessage712.c

@@ -9,8 +9,6 @@ void handleSignEIP712Message(uint8_t p1,
                              uint16_t dataLength,
                              unsigned int *flags,
                              unsigned int *tx) {
-    uint8_t i;
-
     UNUSED(tx);
     if ((p1 != 00) || (p2 != 00)) {
         THROW(0x6B00);
@@ -18,31 +16,13 @@ void handleSignEIP712Message(uint8_t p1,
     if (appState != APP_STATE_IDLE) {
         reset_app_context();
     }
-    if (dataLength < 1) {
-        PRINTF("Invalid data\n");
-        THROW(0x6a80);
-    }
-    tmpCtx.messageSigningContext712.pathLength = workBuffer[0];
-    if ((tmpCtx.messageSigningContext712.pathLength < 0x01) ||
-        (tmpCtx.messageSigningContext712.pathLength > MAX_BIP32_PATH)) {
-        PRINTF("Invalid path\n");
-        THROW(0x6a80);
-    }
-    workBuffer++;
-    dataLength--;
-    for (i = 0; i < tmpCtx.messageSigningContext712.pathLength; i++) {
-        if (dataLength < 4) {
-            PRINTF("Invalid data\n");
-            THROW(0x6a80);
-        }
-        tmpCtx.messageSigningContext712.bip32Path[i] = U4BE(workBuffer, 0);
-        workBuffer += 4;
-        dataLength -= 4;
-    }
-    if (dataLength < 32 + 32) {
-        PRINTF("Invalid data\n");
+
+    workBuffer = parseBip32(workBuffer, &dataLength, &tmpCtx.messageSigningContext.bip32);
+
+    if (workBuffer == NULL || dataLength < 32 + 32) {
         THROW(0x6a80);
     }
+
     memmove(tmpCtx.messageSigningContext712.domainHash, workBuffer, 32);
     memmove(tmpCtx.messageSigningContext712.messageHash, workBuffer + 32, 32);
 

src_features/signMessageEIP712/ui_common_signMessage712.c

@@ -34,8 +34,8 @@ unsigned int io_seproxyhal_touch_signMessage712_v0_ok(__attribute__((unused))
     PRINTF("EIP712 hash to sign %.*H\n", 32, hash);
     io_seproxyhal_io_heartbeat();
     os_perso_derive_node_bip32(CX_CURVE_256K1,
-                               tmpCtx.messageSigningContext712.bip32Path,
-                               tmpCtx.messageSigningContext712.pathLength,
+                               tmpCtx.messageSigningContext712.bip32.path,
+                               tmpCtx.messageSigningContext712.bip32.length,
                                privateKeyData,
                                NULL);
     io_seproxyhal_io_heartbeat();