commit 1189df16cdbe1799b20bcdef870797e406ef6217
author Jack Yu <jackcwyu@google.com> Wed Jan 30 15:10:07 2019 +0800
committer android-build-team Robot <android-build-team-robot@google.com> Tue Feb 19 22:40:05 2019 +0000
tree 86c165b378e8292ec4499edf77f51224a8825a4b
parent fab3fccde4b9047549728b9190b7fb63f3bfce60

Prevent OOB error in rw_i93_sm_update_ndef()

Bug: 122320256
Test: NFC tag reading
Change-Id: Iee56827ff3b65718a61db6cbaca19b4c5abbc223
Merged-In: I053e9f01dc921bab55b5781c83f048d2638d5b87
(cherry picked from commit 8617cbb1a8c2f08de97b6d4c48c053781c67a926)

src/nfc/tags/rw_i93.c

diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
index d5f3c54..bd337e1 100644
--- a/src/nfc/tags/rw_i93.c
+++ b/src/nfc/tags/rw_i93.c
@@ -1875,6 +1875,12 @@
   RW_TRACE_DEBUG1("rw_i93_sm_update_ndef () sub_state:0x%x", p_i93->sub_state);
 #endif
 
+  if (length == 0 || p_i93->block_size > I93_MAX_BLOCK_LENGH) {
+    android_errorWriteLog(0x534e4554, "122320256");
+    rw_i93_handle_error(NFC_STATUS_FAILED);
+    return;
+  }
+
   STREAM_TO_UINT8(flags, p);
   length--;
 
@@ -1898,6 +1904,12 @@
       /* get offset of length field */
       length_offset = (p_i93->ndef_tlv_start_offset + 1) % p_i93->block_size;
 
+      if (length < length_offset) {
+        android_errorWriteLog(0x534e4554, "122320256");
+        rw_i93_handle_error(NFC_STATUS_FAILED);
+        return;
+      }
+
       /* set length to zero */
       *(p + length_offset) = 0x00;
 
@@ -1911,6 +1923,11 @@
 
         /* write the first part of NDEF in the same block */
         for (; xx < p_i93->block_size; xx++) {
+          if (xx > length || p_i93->rw_length > p_i93->ndef_length) {
+            android_errorWriteLog(0x534e4554, "122320256");
+            rw_i93_handle_error(NFC_STATUS_FAILED);
+            return;
+          }
           if (p_i93->rw_length < p_i93->ndef_length) {
             *(p + xx) = *(p_i93->p_update_data + p_i93->rw_length++);
           } else {
@@ -2057,6 +2074,12 @@
 
           /* update length field within the read block */
           for (xx = length_offset; xx < p_i93->block_size; xx++) {
+            if (xx > length) {
+              android_errorWriteLog(0x534e4554, "122320256");
+              rw_i93_handle_error(NFC_STATUS_FAILED);
+              return;
+            }
+
             if (p_i93->rw_length == 3)
               *(p + xx) = 0xFF;
             else if (p_i93->rw_length == 2)