Prevent OOB read in ce_t4t_process_select_file_cmd

Bug: 140292264
Test: manual
Merged-In: I6f6f1e5d30c85e16c9c24e902dd4fd68c62d7a00
Change-Id: I6f6f1e5d30c85e16c9c24e902dd4fd68c62d7a00
diff --git a/src/nfc/tags/ce_t4t.cc b/src/nfc/tags/ce_t4t.cc
index c8a6251..691ac05 100644
--- a/src/nfc/tags/ce_t4t.cc
+++ b/src/nfc/tags/ce_t4t.cc
@@ -645,6 +645,13 @@
     if (instruct == T4T_CMD_INS_SELECT) {
       /* P1 Byte is already parsed */
       if (select_type == T4T_CMD_P1_SELECT_BY_FILE_ID) {
+        /* CLA+INS+P1+P2+Lc+FILE_ID = T4T_CMD_MAX_HDR_SIZE + T4T_FILE_ID_SIZE */
+        if (p_c_apdu->len < (T4T_CMD_MAX_HDR_SIZE + T4T_FILE_ID_SIZE)) {
+          LOG(ERROR) << "Wrong length";
+          GKI_freebuf(p_c_apdu);
+          ce_t4t_send_status(T4T_RSP_WRONG_LENGTH);
+          return;
+        }
         ce_t4t_process_select_file_cmd(p_cmd);
       } else {
         LOG(ERROR) << StringPrintf("CET4T: Bad P1 byte (0x%02X)", select_type);