Prevent OOB error in rw_i93_sm_update_ndef()
Bug: 122320256
Test: NFC tag reading
Change-Id: I6b57b186c8b4c793e05d646286ed8155dc460bf5
(cherry picked from commit 8a433fd5db78b81fcfff78460d2e02c820ddc4cd)
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
index d883d96..4fcf4ac 100644
--- a/src/nfc/tags/rw_i93.c
+++ b/src/nfc/tags/rw_i93.c
@@ -2083,6 +2083,12 @@
RW_TRACE_DEBUG1 ("rw_i93_sm_update_ndef () sub_state:0x%x", p_i93->sub_state);
#endif
+ if (length == 0 || p_i93->block_size > I93_MAX_BLOCK_LENGH) {
+ android_errorWriteLog(0x534e4554, "122320256");
+ rw_i93_handle_error (NFC_STATUS_FAILED);
+ return;
+ }
+
STREAM_TO_UINT8 (flags, p);
length--;
@@ -2112,6 +2118,12 @@
/* get offset of length field */
length_offset = (p_i93->ndef_tlv_start_offset + 1) % p_i93->block_size;
+ if (length < length_offset) {
+ android_errorWriteLog(0x534e4554, "122320256");
+ rw_i93_handle_error (NFC_STATUS_FAILED);
+ return;
+ }
+
/* set length to zero */
*(p + length_offset) = 0x00;
@@ -2130,6 +2142,12 @@
/* write the first part of NDEF in the same block */
for ( ; xx < p_i93->block_size; xx++)
{
+ if (xx > length || p_i93->rw_length > p_i93->ndef_length) {
+ android_errorWriteLog(0x534e4554, "122320256");
+ rw_i93_handle_error (NFC_STATUS_FAILED);
+ return;
+ }
+
if (p_i93->rw_length < p_i93->ndef_length)
{
*(p + xx) = *(p_i93->p_update_data + p_i93->rw_length++);
@@ -2305,6 +2323,11 @@
/* update length field within the read block */
for (xx = length_offset; xx < p_i93->block_size; xx++)
{
+ if (xx > length) {
+ android_errorWriteLog(0x534e4554, "122320256");
+ rw_i93_handle_error (NFC_STATUS_FAILED);
+ return;
+ }
if (p_i93->rw_length == 3)
*(p + xx) = 0xFF;
else if (p_i93->rw_length == 2)
