diff options
author | Alisher Alikhodjaev <alisher@google.com> | 2021-05-04 15:35:51 -0700 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2021-05-20 00:01:17 +0000 |
commit | 61750f1181ace3ca390489599e36f0e3b725afb0 (patch) | |
tree | 11a06a285c2822499e7276244996f3fb65846844 /nci | |
parent | fd697c56b7795a7f0cf50cac55db71a60d5bd357 (diff) | |
download | Nfc-61750f1181ace3ca390489599e36f0e3b725afb0.tar.gz |
Potential out of bound in phNciNfc_RecvMfResp
Bug: 181346550
Test: build ok
Change-Id: I2714d022724a3caf3abe077fb9806df3b25f7142
(cherry picked from commit c39c851616f674edb8d9fa98010768eef3ba1913)
Diffstat (limited to 'nci')
-rw-r--r-- | nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp index 81ac416c..3ddc2ca8 100644 --- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp +++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp @@ -1132,6 +1132,10 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo, NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WRITE || NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WR_NDEF_LEN || NdefMap->State == PH_FRINFC_NDEFMAP_STATE_INIT)) { + if (2 > RspBuffInfo->wLen) { + android_errorWriteLog(0x534e4554, "181346550"); + return NFCSTATUS_FAILED; + } uint8_t rspAck = RspBuffInfo->pBuff[RspBuffInfo->wLen - 2]; uint8_t rspAckMask = ((RspBuffInfo->pBuff[RspBuffInfo->wLen - 1]) & MAX_NUM_VALID_BITS_FOR_ACK); @@ -1145,6 +1149,11 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo, status = NFCSTATUS_SUCCESS; uint16_t wRecvDataSz = 0; + if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > + RspBuffInfo->wLen) { + android_errorWriteLog(0x534e4554, "181346550"); + return NFCSTATUS_FAILED; + } /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */ wPldDataSize = ((RspBuffInfo->wLen) - (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE)); |