Prevent length underflow in NfcTag.cpp
Bug: 124940143
Test: Read Type4B Tag
Exempt-From-Owner-Approval: Old Owners are all transferred to another BU
Change-Id: Ibdab756410bf55d701875279df3e289dbc9369d6
(cherry picked from commit c7b41a96744e1ac30920991ef1b427acbcde44db)
diff --git a/nci/jni/NfcTag.cpp b/nci/jni/NfcTag.cpp
index d8a42c1..7194d8c 100644
--- a/nci/jni/NfcTag.cpp
+++ b/nci/jni/NfcTag.cpp
@@ -21,6 +21,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include <nativehelper/ScopedLocalRef.h>
#include <nativehelper/ScopedPrimitiveArray.h>
@@ -713,7 +714,14 @@
DLOG_IF(INFO, nfc_debug_enabled)
<< StringPrintf("%s: tech B; TARGET_TYPE_ISO14443_3B", fn);
len = mTechParams[i].param.pb.sensb_res_len;
- len = len - 4; // subtract 4 bytes for NFCID0 at byte 2 through 5
+ if (len >= NFC_NFCID0_MAX_LEN) {
+ // subtract 4 bytes for NFCID0 at byte 2 through 5
+ len = len - NFC_NFCID0_MAX_LEN;
+ } else {
+ android_errorWriteLog(0x534e4554, "124940143");
+ LOG(ERROR) << StringPrintf("%s: sensb_res_len error", fn);
+ len = 0;
+ }
pollBytes.reset(e->NewByteArray(len));
e->SetByteArrayRegion(pollBytes.get(), 0, len,
(jbyte*)(mTechParams[i].param.pb.sensb_res + 4));