Potential OOB read in ce_t4t_update_binary

Bug: 157649298
Test: build ok
Change-Id: I6b037195ce26b13b2c503025971036c78233fce4
diff --git a/src/nfc/tags/ce_t4t.cc b/src/nfc/tags/ce_t4t.cc
index 5f80587..99baf75 100644
--- a/src/nfc/tags/ce_t4t.cc
+++ b/src/nfc/tags/ce_t4t.cc
@@ -731,7 +731,9 @@
         BE_STREAM_TO_UINT8(length, p_cmd);  /* Lc     */
 
         /* check if valid parameters */
-        if ((uint32_t)length <= CE_T4T_MAX_LC) {
+        if ((uint32_t)length <= CE_T4T_MAX_LC &&
+            /* check if data fits into the apdu */
+            (uint16_t)length <= p_c_apdu->len - T4T_CMD_MAX_HDR_SIZE) {
           if (length + offset > ce_cb.mem.t4t.max_file_size) {
             LOG(ERROR) << StringPrintf(
                 "CET4T: length (%d) + offset (%d) must be less than "
@@ -743,6 +745,7 @@
           LOG(ERROR) << StringPrintf(
               "CET4T: length (%d) must be less than MLc (%zu)", length,
               CE_T4T_MAX_LC);
+          android_errorWriteLog(0x534e4554, "157649298");
           length = 0;
         }