am 4c5f2a9d: am ed1c8d7d: am 0aa1017f: Prevent allocation overflows by corrupt NDEF records.
* commit '4c5f2a9dd26674be797e1cb7c995247601096a04':
Prevent allocation overflows by corrupt NDEF records.
diff --git a/core/jni/android_nfc_NdefMessage.cpp b/core/jni/android_nfc_NdefMessage.cpp
index d9b64aa..41099cb 100644
--- a/core/jni/android_nfc_NdefMessage.cpp
+++ b/core/jni/android_nfc_NdefMessage.cpp
@@ -102,6 +102,19 @@
}
TRACE("phFriNfc_NdefRecord_Parse() returned 0x%04x", status);
+ // We don't exactly know what *is* a valid length, but a simple
+ // sanity check is to make sure that the length of the header
+ // plus all fields does not exceed raw_msg_size. The min length
+ // of the header is 3 bytes: TNF, Type Length, Payload Length
+ // (ID length field is optional!)
+ uint64_t indicatedMsgLength = 3 + record.TypeLength + record.IdLength +
+ (uint64_t)record.PayloadLength;
+ if (indicatedMsgLength >
+ (uint64_t)raw_msg_size) {
+ LOGE("phFri_NdefRecord_Parse: invalid length field");
+ goto end;
+ }
+
type = e->NewByteArray(record.TypeLength);
if (type == NULL) {
LOGD("NFC_Set Record Type Error\n");