Prevent OOB error in rw_i93_sm_detect_ndef()
Bug: 121260197
Test: NFC tag reading
Change-Id: I9168e338a802c43122b252e895fa4dffcd7080f4
Merged-In: I9168e338a802c43122b252e895fa4dffcd7080f4
(cherry picked from commit 9939edeb9fd6b118c0594c0d07459d4042ed0017)
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
index a49e99a..2a7a307 100644
--- a/src/nfc/tags/rw_i93.c
+++ b/src/nfc/tags/rw_i93.c
@@ -22,6 +22,7 @@
* mode.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "bt_types.h"
#include "nfc_target.h"
@@ -1419,6 +1420,11 @@
RW_TRACE_DEBUG1("rw_i93_sm_detect_ndef () sub_state:0x%x", p_i93->sub_state);
#endif
+ if (length == 0) {
+ android_errorWriteLog(0x534e4554, "121260197");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
STREAM_TO_UINT8(flags, p);
length--;
@@ -1437,6 +1443,11 @@
switch (p_i93->sub_state) {
case RW_I93_SUBSTATE_WAIT_UID:
+ if (length < (I93_UID_BYTE_LEN + 1)) {
+ android_errorWriteLog(0x534e4554, "121260197");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
STREAM_TO_UINT8(u8, p); /* DSFID */
p_uid = p_i93->uid;
STREAM_TO_ARRAY8(p_uid, p);
