Prevent integer overflow in NDEF_MsgValidate Bug: 126200054 Test: Read a Ndef Tag Change-Id: I156047fa8b6219a4d4d269f7ca720f9a0ee55e17 (cherry picked from commit 91c68129df64a627ed3b5b946e19949f17b1f8f7)

commit: 34516fff2703a662e14996ea068432cccbd7304d [log] [tgz]
author: George Chang <georgekgchang@google.com> Thu Jun 06 19:07:54 2019 +0800
committer: Arjun Garg <arjgarg@google.com> Thu Jul 11 12:17:02 2019 -0700
tree: cfac8339bececb361394b056e6571673e6752876
parent: cde5a37b69c295b1fa0764c7822fe8a5f127e90f [diff]
diff --git a/src/nfc/ndef/ndef_utils.c b/src/nfc/ndef/ndef_utils.c
index 01663f0..cb909d5 100644
--- a/src/nfc/ndef/ndef_utils.c
+++ b/src/nfc/ndef/ndef_utils.c

@@ -23,6 +23,7 @@
  *
  ******************************************************************************/
 #include "ndef_utils.h"
+#include <log/log.h>
 #include <string.h>
 
 /*******************************************************************************
@@ -74,6 +75,7 @@
                               bool b_allow_chunks) {
   uint8_t* p_rec = p_msg;
   uint8_t* p_end = p_msg + msg_len;
+  uint8_t* p_new;
   uint8_t rec_hdr = 0, type_len, id_len;
   int count;
   uint32_t payload_len;
@@ -195,6 +197,13 @@
       }
     }
 
+    /* Check for OOB */
+    p_new = p_rec + (payload_len + type_len + id_len);
+    if (p_rec > p_new || p_end < p_new) {
+        android_errorWriteLog(0x534e4554, "126200054");
+        return (NDEF_MSG_LENGTH_MISMATCH);
+    }
+
     /* Point to next record */
     p_rec += (payload_len + type_len + id_len);
commit	34516fff2703a662e14996ea068432cccbd7304d	[log] [tgz]
author	George Chang <georgekgchang@google.com>	Thu Jun 06 19:07:54 2019 +0800
committer	Arjun Garg <arjgarg@google.com>	Thu Jul 11 12:17:02 2019 -0700
tree	cfac8339bececb361394b056e6571673e6752876
parent	cde5a37b69c295b1fa0764c7822fe8a5f127e90f [diff]