Prevent Out of bounds read/write in nfc_ncif_set_config_status

Test: Nfc Enable/Disable; Android Beam; Tag reading
Bug: 114047681
Merged-In: Iaba48380879373a4807a9d50634f4f40be97ef81
Change-Id: Iaba48380879373a4807a9d50634f4f40be97ef81
(cherry picked from commit 5b18209498ca5dc9fe65cf6e2b77b8879821251f)
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index 2e2c14f..ed83c18 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -24,6 +24,7 @@
  *  (callback). On the transmit side, it manages the command transmission.
  *
  ******************************************************************************/
+#include <log/log.h>
 #include <stdlib.h>
 #include <string.h>
 #include "nfc_target.h"
@@ -490,14 +491,37 @@
     tNFC_RESPONSE   evt_data;
     if (nfc_cb.p_resp_cback)
     {
-        evt_data.set_config.status          = (tNFC_STATUS) *p++;
-        evt_data.set_config.num_param_id    = NFC_STATUS_OK;
-        if (evt_data.set_config.status != NFC_STATUS_OK)
+        evt_data.set_config.num_param_id = 0;
+        if (len == 0)
         {
-            evt_data.set_config.num_param_id    = *p++;
-            STREAM_TO_ARRAY (evt_data.set_config.param_ids, p, evt_data.set_config.num_param_id);
+            NFC_TRACE_ERROR0 ("Insufficient RSP length");
+            evt_data.set_config.status = NFC_STATUS_SYNTAX_ERROR;
+            (*nfc_cb.p_resp_cback) (NFC_SET_CONFIG_REVT, &evt_data);
+            return;
         }
-
+        evt_data.set_config.status = (tNFC_STATUS)*p++;
+        if (evt_data.set_config.status != NFC_STATUS_OK && len > 1)
+        {
+            evt_data.set_config.num_param_id = *p++;
+            if (evt_data.set_config.num_param_id > NFC_MAX_NUM_IDS)
+            {
+                android_errorWriteLog (0x534e4554, "114047681");
+                NFC_TRACE_ERROR1 ("OOB write num_param_id %d",
+                                 evt_data.set_config.num_param_id);
+                evt_data.set_config.num_param_id = 0;
+            }
+            else if (evt_data.set_config.num_param_id <= len - 2)
+            {
+                STREAM_TO_ARRAY (evt_data.set_config.param_ids, p,
+                                evt_data.set_config.num_param_id);
+            }
+            else
+            {
+                NFC_TRACE_ERROR2 ("Insufficient RSP length %d,num_param_id %d",
+                                 len, evt_data.set_config.num_param_id);
+                evt_data.set_config.num_param_id = 0;
+            }
+        }
         (*nfc_cb.p_resp_cback) (NFC_SET_CONFIG_REVT, &evt_data);
     }
 }