commit 2fde3566dcbec967d6b4d61fc1a1638923c45b11
author Ruchi Kandoi <kandoiruchi@google.com> Wed Oct 17 16:14:08 2018 -0700
committer android-build-team Robot <android-build-team-robot@google.com> Fri Mar 15 23:10:13 2019 +0000
tree 04d4559fa05889a5d23fc2d4c0421e448aaaeaba
parent a48f8a05f022340802e34871166f05bd118b3981

Prevent OOB error in nfc_ncif_proc_get_routing()

Test: Tag reading; Card Emulation
Bug: 117554809
Change-Id: Ib49af2eadf870f030a6cddeec390dc498bd5078c
(cherry picked from commit 8c29aa84918b79d3bad0a68430a2dfbeec41bde6)

src/nfc/nfc/nfc_ncif.c

diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index ed83c18..bf906f1 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -27,6 +27,7 @@
 #include <log/log.h>
 #include <stdlib.h>
 #include <string.h>
+
 #include "nfc_target.h"
 
 #if NFC_INCLUDED == TRUE
@@ -1195,8 +1196,13 @@
             {
                 tl                  = *(p+1);
                 tl                 += NFC_TL_SIZE;
-                STREAM_TO_ARRAY (pn, p, tl);
                 evt_data.tlv_size  += tl;
+                if (evt_data.tlv_size > NFC_MAX_EE_TLV_SIZE) {
+                    android_errorWriteLog(0x534e4554, "117554809");
+                    NFC_TRACE_ERROR1("%s Invalid data format", __func__);
+                    return;
+                }
+                STREAM_TO_ARRAY (pn, p, tl);
                 pn                 += tl;
             }
             (*nfc_cb.p_resp_cback) (NFC_GET_ROUTING_REVT, (tNFC_RESPONSE *) &evt_data);