OOBR in AnalyzeMfcResp in NxpMfcReader.cc
Bug: 252763983
Test: build ok
Change-Id: I91fa035ca6245e6039eeedb447d7e3306b7aebc5
(cherry picked from commit on googleplex-android-review.googlesource.com host: 69c53a6f1bca6d450e5100c1044114ffad615e5c)
Merged-In: I91fa035ca6245e6039eeedb447d7e3306b7aebc5
(cherry picked from commit 1a027f523ff5cb69a71a5013082d84c40461b351)
diff --git a/pn8x/halimpl/mifare/NxpMfcReader.cc b/pn8x/halimpl/mifare/NxpMfcReader.cc
index 602a2b7..9ee49db 100644
--- a/pn8x/halimpl/mifare/NxpMfcReader.cc
+++ b/pn8x/halimpl/mifare/NxpMfcReader.cc
@@ -349,6 +349,10 @@
} break;
case eMfcAuthRsp: {
+ if (*pBufflen < 2) {
+ status = NFCSTATUS_FAILED;
+ break;
+ }
/* check the status byte */
if (NFCSTATUS_SUCCESS == pBuff[1]) {
status = NFCSTATUS_SUCCESS;
diff --git a/snxxx/halimpl/mifare/NxpMfcReader.cc b/snxxx/halimpl/mifare/NxpMfcReader.cc
index 83fe1d9..7ac930b 100644
--- a/snxxx/halimpl/mifare/NxpMfcReader.cc
+++ b/snxxx/halimpl/mifare/NxpMfcReader.cc
@@ -353,6 +353,10 @@
} break;
case eMfcAuthRsp: {
+ if (*pBufflen < 2) {
+ status = NFCSTATUS_FAILED;
+ break;
+ }
/* check the status byte */
if (NFCSTATUS_SUCCESS == pBuff[1]) {
status = NFCSTATUS_SUCCESS;