Prevent integer overflow in NDEF_MsgValidate Bug: 126200054 Test: Read a Ndef Tag Change-Id: I156047fa8b6219a4d4d269f7ca720f9a0ee55e17 (cherry picked from commit 8124222e3a70c68fa6475a011d32d2c3f600cecd)

commit: 4dabeea78334a181c8095983e6c29d75d286f900 [log] [tgz]
author: George Chang <georgekgchang@google.com> Thu Jun 06 19:13:21 2019 +0800
committer: Arjun Garg <arjgarg@google.com> Thu Jul 11 12:08:49 2019 -0700
tree: 515137f9c14cf9a389242059f816f2834ee17591
parent: b0fd3c51461ec093ae1c141abfa965d41aaa673d [diff]
diff --git a/src/nfc/ndef/ndef_utils.c b/src/nfc/ndef/ndef_utils.c
index 974005a..0c4f320 100644
--- a/src/nfc/ndef/ndef_utils.c
+++ b/src/nfc/ndef/ndef_utils.c

@@ -24,6 +24,7 @@
  *
  ******************************************************************************/
 #include <string.h>
+#include <log/log.h>
 #include "ndef_utils.h"
 
 /*******************************************************************************
@@ -80,6 +81,7 @@
 {
     UINT8   *p_rec = p_msg;
     UINT8   *p_end = p_msg + msg_len;
+    UINT8   *p_new;
     UINT8   rec_hdr=0, type_len, id_len;
     int     count;
     UINT32  payload_len;
@@ -187,6 +189,14 @@
                 return (NDEF_MSG_LENGTH_MISMATCH);
         }
 
+        /* Check for OOB */
+        p_new = p_rec + (payload_len + type_len + id_len);
+        if (p_rec > p_new || p_end < p_new)
+        {
+            android_errorWriteLog(0x534e4554, "126200054");
+            return (NDEF_MSG_LENGTH_MISMATCH);
+        }
+
         /* Point to next record */
         p_rec += (payload_len + type_len + id_len);
commit	4dabeea78334a181c8095983e6c29d75d286f900	[log] [tgz]
author	George Chang <georgekgchang@google.com>	Thu Jun 06 19:13:21 2019 +0800
committer	Arjun Garg <arjgarg@google.com>	Thu Jul 11 12:08:49 2019 -0700
tree	515137f9c14cf9a389242059f816f2834ee17591
parent	b0fd3c51461ec093ae1c141abfa965d41aaa673d [diff]