commit | 8888666b6e4612e94d43c1172f6a0f9528e64a32 | [log] [tgz] |
---|---|---|
author | George Chang <georgekgchang@google.com> | Wed Jun 05 16:09:30 2019 +0800 |
committer | George Chang <georgekgchang@google.com> | Fri Jan 31 12:24:40 2020 +0000 |
tree | a2297e848c194eeba3eb93954faac889ab161272 | |
parent | ad6884776d084586fe8236a39fd1e5eeed667c9f [diff] |
Prevent OOB write in phNciNfc_RecvMfResp Bug: 126204073 Test: Read/Write Mifare Tag Merged-In: Ic6b3b3ac388b32bb89442cee978c8fdff30244cc Change-Id: Ic6b3b3ac388b32bb89442cee978c8fdff30244cc
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp index 6dd04e6..77a0dc1 100644 --- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp +++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
@@ -1179,7 +1179,11 @@ } gAuthCmdBuf.auth_status = true; status = NFCSTATUS_SUCCESS; - + if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > + RspBuffInfo->wLen) { + android_errorWriteLog(0x534e4554, "126204073"); + return NFCSTATUS_FAILED; + } /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */ wPldDataSize = ((RspBuffInfo->wLen) - (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));