Prevent integer overflow in NDEF_MsgValidate
Bug: 126200054
Test: Read a Ndef Tag
Change-Id: I156047fa8b6219a4d4d269f7ca720f9a0ee55e17
(cherry picked from commit 91c68129df64a627ed3b5b946e19949f17b1f8f7)
diff --git a/src/nfc/ndef/ndef_utils.c b/src/nfc/ndef/ndef_utils.c
index 01663f0..cb909d5 100644
--- a/src/nfc/ndef/ndef_utils.c
+++ b/src/nfc/ndef/ndef_utils.c
@@ -23,6 +23,7 @@
*
******************************************************************************/
#include "ndef_utils.h"
+#include <log/log.h>
#include <string.h>
/*******************************************************************************
@@ -74,6 +75,7 @@
bool b_allow_chunks) {
uint8_t* p_rec = p_msg;
uint8_t* p_end = p_msg + msg_len;
+ uint8_t* p_new;
uint8_t rec_hdr = 0, type_len, id_len;
int count;
uint32_t payload_len;
@@ -195,6 +197,13 @@
}
}
+ /* Check for OOB */
+ p_new = p_rec + (payload_len + type_len + id_len);
+ if (p_rec > p_new || p_end < p_new) {
+ android_errorWriteLog(0x534e4554, "126200054");
+ return (NDEF_MSG_LENGTH_MISMATCH);
+ }
+
/* Point to next record */
p_rec += (payload_len + type_len + id_len);