Merge branch 'dev/10/fp2/security-aosp-qt-release' into int/10/fp2
* dev/10/fp2/security-aosp-qt-release:
DO NOT MERGE OOBW in phNciNfc_MfCreateXchgDataHdr
DO NOT MERGE OOBW in Mfc_Transceive()
Change-Id: Ia57492e67f660c124622d23272ada80da794de4b
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
index a54f2c8..2148f2a 100644
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
@@ -994,6 +994,11 @@
return status;
}
+ if (len > (MAX_BUFF_SIZE * 2)) {
+ android_errorWriteLog(0x534e4554, "241387741");
+ return status;
+ }
+
gphNxpExtns_Context.RawWriteCallBack = false;
gphNxpExtns_Context.CallBackMifare = NULL;
gphNxpExtns_Context.CallBackCtxt = NdefMap;
@@ -1386,6 +1391,11 @@
NFCSTATUS status = NFCSTATUS_SUCCESS;
uint8_t i = 0;
+ if (tTranscvInfo.tSendData.wLen > (MAX_BUFF_SIZE - 1)) {
+ android_errorWriteLog(0x534e4554, "246932269");
+ return NFCSTATUS_FAILED;
+ }
+
buff[i++] = phNciNfc_e_MfRawDataXchgHdr;
memcpy(&buff[i], tTranscvInfo.tSendData.pBuff, tTranscvInfo.tSendData.wLen);
*buffSz = i + tTranscvInfo.tSendData.wLen;