Merge "Prevent OOB read in rw_i93_process_sys_info()" into oc-dev
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
index 2a7a307..daac9d7 100644
--- a/src/nfc/tags/rw_i93.c
+++ b/src/nfc/tags/rw_i93.c
@@ -1803,6 +1803,12 @@
RW_TRACE_DEBUG0("rw_i93_sm_read_ndef ()");
+ if (length == 0) {
+ android_errorWriteLog(0x534e4554, "122035770");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
STREAM_TO_UINT8(flags, p);
length--;
@@ -1902,6 +1908,12 @@
RW_TRACE_DEBUG1("rw_i93_sm_update_ndef () sub_state:0x%x", p_i93->sub_state);
#endif
+ if (length == 0 || p_i93->block_size > I93_MAX_BLOCK_LENGH) {
+ android_errorWriteLog(0x534e4554, "122320256");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
STREAM_TO_UINT8(flags, p);
length--;
@@ -1925,6 +1937,12 @@
/* get offset of length field */
length_offset = (p_i93->ndef_tlv_start_offset + 1) % p_i93->block_size;
+ if (length < length_offset) {
+ android_errorWriteLog(0x534e4554, "122320256");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
/* set length to zero */
*(p + length_offset) = 0x00;
@@ -1938,6 +1956,11 @@
/* write the first part of NDEF in the same block */
for (; xx < p_i93->block_size; xx++) {
+ if (xx > length || p_i93->rw_length > p_i93->ndef_length) {
+ android_errorWriteLog(0x534e4554, "122320256");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
if (p_i93->rw_length < p_i93->ndef_length) {
*(p + xx) = *(p_i93->p_update_data + p_i93->rw_length++);
} else {
@@ -2084,6 +2107,12 @@
/* update length field within the read block */
for (xx = length_offset; xx < p_i93->block_size; xx++) {
+ if (xx > length) {
+ android_errorWriteLog(0x534e4554, "122320256");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
+
if (p_i93->rw_length == 3)
*(p + xx) = 0xFF;
else if (p_i93->rw_length == 2)