Merge RQ3A.210705.001 to aosp-master - DO NOT MERGE

Merged-In: I37aab0de97d19d9256ea54cfe9456a9d4011ca06
Merged-In: Iacb12eed1cfd3d24132927cf50ca9f1ed6d10b25
Merged-In: Iacb12eed1cfd3d24132927cf50ca9f1ed6d10b25
Change-Id: I2a0b9fac972112e39d36d67719e91e68fcc75488

1 files changed, 9 insertions, 0 deletions

diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
index 81ac416c..3ddc2ca8 100644
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
@@ -1132,6 +1132,10 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
                NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WRITE ||
                NdefMap->State == PH_FRINFC_NDEFMAP_STATE_WR_NDEF_LEN ||
                NdefMap->State == PH_FRINFC_NDEFMAP_STATE_INIT)) {
+            if (2 > RspBuffInfo->wLen) {
+              android_errorWriteLog(0x534e4554, "181346550");
+              return NFCSTATUS_FAILED;
+            }
             uint8_t rspAck = RspBuffInfo->pBuff[RspBuffInfo->wLen - 2];
             uint8_t rspAckMask = ((RspBuffInfo->pBuff[RspBuffInfo->wLen - 1]) &
                                   MAX_NUM_VALID_BITS_FOR_ACK);
@@ -1145,6 +1149,11 @@ static NFCSTATUS phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
             status = NFCSTATUS_SUCCESS;
             uint16_t wRecvDataSz = 0;
 
+            if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
+                RspBuffInfo->wLen) {
+              android_errorWriteLog(0x534e4554, "181346550");
+              return NFCSTATUS_FAILED;
+            }
             /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
             wPldDataSize = ((RspBuffInfo->wLen) -
                             (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));