Potential out of bound in phNciNfc_RecvMfResp

Bug: 181346550
Test: build ok
Change-Id: I2714d022724a3caf3abe077fb9806df3b25f7142
(cherry picked from commit c39c851616f674edb8d9fa98010768eef3ba1913)

1 files changed, 9 insertions, 0 deletions

diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
index 81ac416c..3ddc2ca8 100644
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
@@ -1132,6 +1132,10 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
                NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WRITE ||
                NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WR_NDEF_LEN ||
                NdefMap->State == PH_FRINFC_NDEFMAP_STATE_INIT)) {
+            if (2 > RspBuffInfo->wLen) {
+              android_errorWriteLog(0x534e4554, "181346550");
+              return NFCSTATUS_FAILED;
+            }
             uint8_t rspAck = RspBuffInfo->pBuff[RspBuffInfo->wLen - 2];
             uint8_t rspAckMask = ((RspBuffInfo->pBuff[RspBuffInfo->wLen - 1]) &
                                   MAX_NUM_VALID_BITS_FOR_ACK);
@@ -1145,6 +1149,11 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
             status = NFCSTATUS_SUCCESS;
             uint16_t wRecvDataSz = 0;
 
+            if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
+                RspBuffInfo->wLen) {
+              android_errorWriteLog(0x534e4554, "181346550");
+              return NFCSTATUS_FAILED;
+            }
             /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
             wPldDataSize = ((RspBuffInfo->wLen) -
                             (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));