commit d91827187a5f55a0fd85bfc884d6e69c3f732d8b
author George Chang <georgekgchang@google.com> Tue Jul 09 15:46:28 2019 +0800
committer JP Sugarbroad <jpsugar@google.com> Wed Aug 07 14:13:27 2019 -0700
tree 85a28643787ce0dedc4d5f7f9dd5a195ff2f7044
parent b549d1c83278bac51391fd16dae9121228dffb3b

Prevent length underflow in NfcTag.cpp

Bug: 124940143
Test: Read Type4B Tag
Merged-In: Ibdab756410bf55d701875279df3e289dbc9369d6
Change-Id: Ibdab756410bf55d701875279df3e289dbc9369d6
(cherry picked from commit 73f392e9820324ad7716edebeb0368e407c078a9)

nci/jni/NfcTag.cpp

diff --git a/nci/jni/NfcTag.cpp b/nci/jni/NfcTag.cpp
old mode 100755
new mode 100644
index 3246f6f..0e70707
--- a/nci/jni/NfcTag.cpp
+++ b/nci/jni/NfcTag.cpp
@@ -21,6 +21,7 @@
 #include "NfcTag.h"
 #include "JavaClassConstants.h"
 #include "config.h"
+#include <log/log.h>
 #include <ScopedLocalRef.h>
 #include <ScopedPrimitiveArray.h>
 
@@ -741,7 +742,14 @@
                 *****************/
                 ALOGV("%s: tech B; TARGET_TYPE_ISO14443_3B", fn);
                 len = mTechParams [i].param.pb.sensb_res_len;
-                len = len - 4; //subtract 4 bytes for NFCID0 at byte 2 through 5
+                if (len >= NFC_NFCID0_MAX_LEN) {
+                    // subtract 4 bytes for NFCID0 at byte 2 through 5
+                    len = len - NFC_NFCID0_MAX_LEN;
+                } else {
+                    android_errorWriteLog(0x534e4554, "124940143");
+                    ALOGE("%s: sensb_res_len error", fn);
+                    len = 0;
+                }
                 pollBytes.reset(e->NewByteArray(len));
                 e->SetByteArrayRegion(pollBytes.get(), 0, len, (jbyte*) (mTechParams [i].param.pb.sensb_res+4));
             }