Prevent OOB error in rw_i93_sm_detect_ndef()
Bug: 121260197
Test: NFC tag reading
Change-Id: I9168e338a802c43122b252e895fa4dffcd7080f4
Merged-In: I9168e338a802c43122b252e895fa4dffcd7080f4
(cherry picked from commit 9939edeb9fd6b118c0594c0d07459d4042ed0017)
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
index b4d73e2..eeafe10 100644
--- a/src/nfc/tags/rw_i93.cc
+++ b/src/nfc/tags/rw_i93.cc
@@ -22,6 +22,7 @@
* mode.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include <android-base/stringprintf.h>
@@ -1630,6 +1631,11 @@
"sub_state:%s (0x%x)",
rw_i93_get_sub_state_name(p_i93->sub_state).c_str(), p_i93->sub_state);
+ if (length == 0) {
+ android_errorWriteLog(0x534e4554, "121260197");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
STREAM_TO_UINT8(flags, p);
length--;
@@ -1649,6 +1655,11 @@
switch (p_i93->sub_state) {
case RW_I93_SUBSTATE_WAIT_UID:
+ if (length < (I93_UID_BYTE_LEN + 1)) {
+ android_errorWriteLog(0x534e4554, "121260197");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
STREAM_TO_UINT8(u8, p); /* DSFID */
p_uid = p_i93->uid;
STREAM_TO_ARRAY8(p_uid, p);