A possible buffer overflow in nfaHciCallback

Bug: 181346545
Test: build ok
Change-Id: Ied7174d866130aabf39972213bb20bf641de60d3
diff --git a/nci/jni/HciEventManager.cpp b/nci/jni/HciEventManager.cpp
index 1365a0d..4aeaa6b 100644
--- a/nci/jni/HciEventManager.cpp
+++ b/nci/jni/HciEventManager.cpp
@@ -16,6 +16,7 @@
 #include "HciEventManager.h"
 #include <android-base/stringprintf.h>
 #include <base/logging.h>
+#include <log/log.h>
 #include <nativehelper/ScopedLocalRef.h>
 #include "JavaClassConstants.h"
 #include "NfcJniUtil.h"
@@ -159,20 +160,25 @@
   if (event == NFA_HCI_EVENT_RCVD_EVT &&
       eventData->rcvd_evt.evt_code == NFA_HCI_EVT_TRANSACTION &&
       buffLength > 3 && event_buff[0] == 0x81) {
-    int aidlen = event_buff[1];
-    std::vector<uint8_t> aid(event_buff.begin() + 2,
-                             event_buff.begin() + aidlen + 2);
+    uint32_t aidlen = event_buff[1];
+    if (aidlen < (buffLength - 1)) {
+      std::vector<uint8_t> aid(event_buff.begin() + 2,
+                               event_buff.begin() + aidlen + 2);
 
-    int32_t berTlvStart = aidlen + 2 + 1;
-    int32_t berTlvLen = buffLength - berTlvStart;
-    std::vector<uint8_t> data;
-    if (berTlvLen > 0 && event_buff[2 + aidlen] == 0x82) {
-      std::vector<uint8_t> berTlv(event_buff.begin() + berTlvStart,
-                                  event_buff.end());
-      // BERTLV decoding here, to support extended data length for params.
-      data = getInstance().getDataFromBerTlv(berTlv);
+      int32_t berTlvStart = aidlen + 2 + 1;
+      int32_t berTlvLen = buffLength - berTlvStart;
+      std::vector<uint8_t> data;
+      if (berTlvLen > 0 && event_buff[2 + aidlen] == 0x82) {
+        std::vector<uint8_t> berTlv(event_buff.begin() + berTlvStart,
+                                    event_buff.end());
+        // BERTLV decoding here, to support extended data length for params.
+        data = getInstance().getDataFromBerTlv(berTlv);
+      }
+      getInstance().notifyTransactionListenersOfAid(aid, data, evtSrc);
+    } else {
+      android_errorWriteLog(0x534e4554, "181346545");
+      LOG(ERROR) << StringPrintf("error: aidlen(%d) is too big", aidlen);
     }
-    getInstance().notifyTransactionListenersOfAid(aid, data, evtSrc);
   }
 }