Fix native crash in nfc_ncif_proc_activateandroid-cts-7.1_r9android-cts-7.1_r8android-cts-7.1_r7android-cts-7.1_r6android-cts-7.1_r5android-cts-7.1_r4android-cts-7.1_r29android-cts-7.1_r28android-cts-7.1_r27android-cts-7.1_r26android-cts-7.1_r25android-cts-7.1_r24android-cts-7.1_r23android-cts-7.1_r22android-cts-7.1_r21android-cts-7.1_r20android-cts-7.1_r19android-cts-7.1_r18android-cts-7.1_r17android-cts-7.1_r16android-cts-7.1_r15android-cts-7.1_r14android-cts-7.1_r13android-cts-7.1_r12android-cts-7.1_r11android-cts-7.1_r10android-7.1.1_r23nougat-mr1-releasenougat-mr1-cts-release

The destination of memcpy is allocated with a predetermined maximum
length, but in some cases the length of information being copied is
greater than the maximum length of the destination.
This is the root cause of crash.

Add length check before memcpy to avoid memory overflow

Test: Repeat reading and writing tag
Bug: 33434992
Bug: 32688507
Change-Id: I09ee3c734e9be38a35b1d48679d74e42e0432d78
(cherry picked from commit 09cb3b3dc46c8bab51346a4163b130857d806418)

1 files changed, 2 insertions, 0 deletions

diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index 99ad256..2e2c14f 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -839,6 +839,8 @@ void nfc_ncif_proc_activate (UINT8 *p, UINT8 len)
                 pp++;   /* TC */
             }
             p_pa_iso->his_byte_len  = (UINT8) (p_pa_iso->ats_res_len - (pp - p_pa_iso->ats_res));
+            if (p_pa_iso->his_byte_len > NFC_MAX_HIS_BYTES_LEN)
+                p_pa_iso->his_byte_len = NFC_MAX_HIS_BYTES_LEN;
             memcpy (p_pa_iso->his_byte,  pp, p_pa_iso->his_byte_len);
             break;