OOBW in rw_i93_send_to_upper() Bug: 271849189 Test: tag r/w (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc9d09e1698725712628d394bf9be4c9003579e8) Merged-In: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1 Change-Id: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1 (cherry picked from commit 60f52747e36458776e6a78cf950747f13ffac99c)

commit: 21c4d8b6ec39d5ca2b3f50a154cb609e2decb0f7 [log] [tgz]
author: Alisher Alikhodjaev <alisher@google.com> Tue May 02 14:20:57 2023 -0700
committer: Fairphone ODM <fairphone-odm@localhost> Mon Jul 17 15:32:59 2023 +0800
tree: 9778e3f91f13ad5a0faa842ac13b380c0de52a25
parent: 63c590d611c6661b131e04bc93d76875fa62e5e8 [diff]
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
index 5bf9afc..caeb22b 100644
--- a/src/nfc/tags/rw_i93.cc
+++ b/src/nfc/tags/rw_i93.cc

@@ -540,6 +540,15 @@
     case I93_CMD_GET_MULTI_BLK_SEC:
     case I93_CMD_EXT_GET_MULTI_BLK_SEC:
 
+      if (UINT16_MAX - length < NFC_HDR_SIZE) {
+        rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED;
+        rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd;
+        rw_cb.tcb.i93.sent_cmd = 0;
+
+        event = RW_I93_CMD_CMPL_EVT;
+        break;
+      }
+
       /* forward tag data or security status */
       p_buff = (NFC_HDR*)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE));
commit	21c4d8b6ec39d5ca2b3f50a154cb609e2decb0f7	[log] [tgz]
author	Alisher Alikhodjaev <alisher@google.com>	Tue May 02 14:20:57 2023 -0700
committer	Fairphone ODM <fairphone-odm@localhost>	Mon Jul 17 15:32:59 2023 +0800
tree	9778e3f91f13ad5a0faa842ac13b380c0de52a25
parent	63c590d611c6661b131e04bc93d76875fa62e5e8 [diff]