Prevent OOB write in phNciNfc_RecvMfResp Bug: 126204073 Test: Read/Write Mifare Tag Merged-In: Ic6b3b3ac388b32bb89442cee978c8fdff30244cc Change-Id: Ic6b3b3ac388b32bb89442cee978c8fdff30244cc

commit: 8888666b6e4612e94d43c1172f6a0f9528e64a32 [log] [tgz]
author: George Chang <georgekgchang@google.com> Wed Jun 05 16:09:30 2019 +0800
committer: George Chang <georgekgchang@google.com> Fri Jan 31 12:24:40 2020 +0000
tree: a2297e848c194eeba3eb93954faac889ab161272
parent: ad6884776d084586fe8236a39fd1e5eeed667c9f [diff]
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
index 6dd04e6..77a0dc1 100644
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.cpp

@@ -1179,7 +1179,11 @@
             }
             gAuthCmdBuf.auth_status = true;
             status = NFCSTATUS_SUCCESS;
-
+            if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
+                RspBuffInfo->wLen) {
+              android_errorWriteLog(0x534e4554, "126204073");
+              return NFCSTATUS_FAILED;
+            }
             /* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
             wPldDataSize = ((RspBuffInfo->wLen) -
                             (PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));
commit	8888666b6e4612e94d43c1172f6a0f9528e64a32	[log] [tgz]
author	George Chang <georgekgchang@google.com>	Wed Jun 05 16:09:30 2019 +0800
committer	George Chang <georgekgchang@google.com>	Fri Jan 31 12:24:40 2020 +0000
tree	a2297e848c194eeba3eb93954faac889ab161272
parent	ad6884776d084586fe8236a39fd1e5eeed667c9f [diff]