Snap for 7215955 from 7cc62bb45c2c77612870f57246be9c3fa27c1253 to rvc-qpr3-release Change-Id: I1973f489097952675c3f9776da768b0444757c3a

commit: 125dd618f6b654e3d15e0430c9d7aab533589bed [log] [tgz]
author: android-build-team Robot <android-build-team-robot@google.com> Wed Mar 17 22:05:21 2021 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> Wed Mar 17 22:05:21 2021 +0000
tree: 1f168a6958f2f14e6b392b0f97e1ed7e9fafa913
parent: 5085fa305107247b13fa505b0255f80c2c8ce901 [diff]
parent: 7cc62bb45c2c77612870f57246be9c3fa27c1253 [diff]
diff --git a/halimpl/hal/phNxpNciHal.cc b/halimpl/hal/phNxpNciHal.cc
index 6b4b748..f1a9594 100644
--- a/halimpl/hal/phNxpNciHal.cc
+++ b/halimpl/hal/phNxpNciHal.cc

@@ -3210,21 +3210,36 @@
       NXPLOG_NCIHAL_D("%s: response status =%s", __func__, response_buf[11]);
     }
     if (phNxpNciClock.isClockSet) {
-      int i;
-      for (i = 0; i < *p_len; i++) {
+      int i, len = sizeof(phNxpNciClock.p_rx_data);
+      if (*p_len > len) {
+        android_errorWriteLog(0x534e4554, "169257710");
+      } else {
+        len = *p_len;
+      }
+      for (i = 0; i < len; i++) {
         phNxpNciClock.p_rx_data[i] = p_rx_data[i];
       }
     }
 
     else if (phNxpNciRfSet.isGetRfSetting) {
-      int i;
-      for (i = 0; i < *p_len; i++) {
+      int i, len = sizeof(phNxpNciRfSet.p_rx_data);
+      if (*p_len > len) {
+        android_errorWriteLog(0x534e4554, "169258733");
+      } else {
+        len = *p_len;
+      }
+      for (i = 0; i < len; i++) {
         phNxpNciRfSet.p_rx_data[i] = p_rx_data[i];
         // NXPLOG_NCIHAL_D("%s: response status =0x%x",__func__,p_rx_data[i]);
       }
     } else if (phNxpNciMwEepromArea.isGetEepromArea) {
-      int i;
-      for (i = 8; i < *p_len; i++) {
+      int i, len = sizeof(phNxpNciMwEepromArea.p_rx_data) + 8;
+      if (*p_len > len) {
+        android_errorWriteLog(0x534e4554, "169258884");
+      } else {
+        len = *p_len;
+      }
+      for (i = 8; i < len; i++) {
         phNxpNciMwEepromArea.p_rx_data[i - 8] = p_rx_data[i];
       }
     } else if (nxpncihal_ctrl.phNxpNciGpioInfo.state == GPIO_STORE) {
@@ -3236,7 +3251,7 @@
         nxpncihal_ctrl.phNxpNciGpioInfo.values[0] = p_rx_data[9];
         nxpncihal_ctrl.phNxpNciGpioInfo.values[1] = p_rx_data[8];
     }
-}
+  }
 
   if (p_rx_data[2] && (config_access == true)) {
     if (p_rx_data[3] != NFCSTATUS_SUCCESS) {

diff --git a/halimpl/hal/phNxpNciHal_ext.cc b/halimpl/hal/phNxpNciHal_ext.cc
index 1dbf3ef..805aea6 100644
--- a/halimpl/hal/phNxpNciHal_ext.cc
+++ b/halimpl/hal/phNxpNciHal_ext.cc

@@ -143,6 +143,10 @@
   status = NFCSTATUS_SUCCESS;
 
   if (bDisableLegacyMfcExtns && bEnableMfcExtns && p_ntf[0] == 0) {
+    if (*p_len < NCI_HEADER_SIZE) {
+      android_errorWriteLog(0x534e4554, "169258743");
+      return NFCSTATUS_FAILED;
+    }
     uint16_t extlen;
     extlen = *p_len - NCI_HEADER_SIZE;
     NxpMfcReaderInstance.AnalyzeMfcResp(&p_ntf[3], &extlen);
commit	125dd618f6b654e3d15e0430c9d7aab533589bed	[log] [tgz]
author	android-build-team Robot <android-build-team-robot@google.com>	Wed Mar 17 22:05:21 2021 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	Wed Mar 17 22:05:21 2021 +0000
tree	1f168a6958f2f14e6b392b0f97e1ed7e9fafa913
parent	5085fa305107247b13fa505b0255f80c2c8ce901 [diff]
parent	7cc62bb45c2c77612870f57246be9c3fa27c1253 [diff]