Fix native crash in nfc_ncif_proc_activate The destination of memcpy is allocated with a predetermined maximum length, but in some cases the length of information being copied is greater than the maximum length of the destination. This is the root cause of crash. Add length check before memcpy to avoid memory overflow Test: Repeat reading and writing tag Bug: 32688507 Change-Id: I09ee3c734e9be38a35b1d48679d74e42e0432d78

commit: 6b9d3936e060f3f73de746d855b6676c495753a8 [log] [tgz]
author: fang.x.chen <fang.x.chen@sonymobile.com> Mon Nov 07 12:31:10 2016 +0900
committer: Ruchi Kandoi <kandoiruchi@google.com> Tue Dec 06 11:02:30 2016 -0800
tree: f5a303179ae8187a2a9283740cb160524e112ab2
parent: 0e3eeae5ec8d7ea910407b81e2ba52abc9b84257 [diff]
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index 99ad256..2e2c14f 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c

@@ -839,6 +839,8 @@
                 pp++;   /* TC */
             }
             p_pa_iso->his_byte_len  = (UINT8) (p_pa_iso->ats_res_len - (pp - p_pa_iso->ats_res));
+            if (p_pa_iso->his_byte_len > NFC_MAX_HIS_BYTES_LEN)
+                p_pa_iso->his_byte_len = NFC_MAX_HIS_BYTES_LEN;
             memcpy (p_pa_iso->his_byte,  pp, p_pa_iso->his_byte_len);
             break;
commit	6b9d3936e060f3f73de746d855b6676c495753a8	[log] [tgz]
author	fang.x.chen <fang.x.chen@sonymobile.com>	Mon Nov 07 12:31:10 2016 +0900
committer	Ruchi Kandoi <kandoiruchi@google.com>	Tue Dec 06 11:02:30 2016 -0800
tree	f5a303179ae8187a2a9283740cb160524e112ab2
parent	0e3eeae5ec8d7ea910407b81e2ba52abc9b84257 [diff]