commit 1036bb8df49e38da549a53da06a58d19a7528891
author George Chang <georgekgchang@google.com> Tue Jan 08 16:34:28 2019 +0800
committer JP Sugarbroad <jpsugar@google.com> Mon Jan 14 14:55:26 2019 -0800
tree 27b405610817f48b0044d77d4900313bfa932241
parent ff1ee6035c293c20fe9e69e8034b3547471be402

Prevent Out of bounds write in rw_t3t_handle_get_sc_poll_rsp()

Test: Read T3T Tag
Bug: 120499324
Change-Id: I5f76f207d16ee744ec9be06e94034adf01727ac8
(cherry picked from commit 17b8a8126c018062f36bd492c7535e216b6660c0)

src/nfc/tags/rw_t3t.c

diff --git a/src/nfc/tags/rw_t3t.c b/src/nfc/tags/rw_t3t.c
index b42bb22..2ed2461 100644
--- a/src/nfc/tags/rw_t3t.c
+++ b/src/nfc/tags/rw_t3t.c
@@ -1675,8 +1675,15 @@
             {
                 RW_TRACE_DEBUG1 ("FeliCa Lite tag detected (system code %04X)", sc);
                 /* Store system code */
-                p_cb->system_codes[p_cb->num_system_codes++] = sc;
-
+                if (p_cb->num_system_codes < T3T_MAX_SYSTEM_CODES)
+                {
+                    p_cb->system_codes[p_cb->num_system_codes++] = sc;
+                }
+                else
+                {
+                    RW_TRACE_ERROR0 ("Exceed T3T_MAX_SYSTEM_CODES!");
+                    android_errorWriteLog(0x534e4554, "120499324");
+                }
                 /* Poll for NDEF system code */
                 if ((status = (tNFC_STATUS) nci_snd_t3t_polling (T3T_SYSTEM_CODE_NDEF, 0, 0)) == NCI_STATUS_OK)
                 {
@@ -1722,7 +1729,15 @@
         if ((nci_status == NCI_STATUS_OK) && (num_responses > 0))
         {
             /* Tag responded for NDEF poll */
-            p_cb->system_codes[p_cb->num_system_codes++] = T3T_SYSTEM_CODE_NDEF;
+            if (p_cb->num_system_codes < T3T_MAX_SYSTEM_CODES)
+            {
+                p_cb->system_codes[p_cb->num_system_codes++] = T3T_SYSTEM_CODE_NDEF;
+            }
+            else
+            {
+                RW_TRACE_ERROR0 ("Exceed T3T_MAX_SYSTEM_CODES!");
+                android_errorWriteLog(0x534e4554, "120499324");
+            }
         }
         rw_t3t_handle_get_system_codes_cplt ();
     }
@@ -1830,7 +1845,15 @@
         for (i = 0; i < num_sc; i++)
         {
             BE_STREAM_TO_UINT16 (sc, p);
-            p_cb->system_codes[p_cb->num_system_codes++] = sc;
+            if (p_cb->num_system_codes < T3T_MAX_SYSTEM_CODES)
+            {
+                p_cb->system_codes[p_cb->num_system_codes++] = sc;
+            }
+            else
+            {
+                RW_TRACE_ERROR0 ("Exceed T3T_MAX_SYSTEM_CODES!");
+                android_errorWriteLog(0x534e4554, "120499324");
+            }
         }
     }
     rw_t3t_handle_get_system_codes_cplt ();