Heap-buffer-overflow in nfc_data_event
Bug: 151313205
Test: build ok
Change-Id: Ie5b89a8d4ff8b0457d412bea61b864314466305b
diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc
index 489b84f..175df3a 100644
--- a/src/nfc/nfc/nfc_ncif.cc
+++ b/src/nfc/nfc/nfc_ncif.cc
@@ -1865,13 +1865,13 @@
data_cevt.p_data = p_evt;
/* adjust payload, if needed */
- if (p_cb->conn_id == NFC_RF_CONN_ID) {
+ if (p_cb->conn_id == NFC_RF_CONN_ID && p_evt->len) {
/* if NCI_PROTOCOL_T1T/NCI_PROTOCOL_T2T/NCI_PROTOCOL_T3T, the status
* byte needs to be removed
*/
if ((p_cb->act_protocol >= NCI_PROTOCOL_T1T) &&
(p_cb->act_protocol <= NCI_PROTOCOL_T3T)) {
- if (p_evt->len) p_evt->len--;
+ p_evt->len--;
p = (uint8_t*)(p_evt + 1);
data_cevt.status = *(p + p_evt->offset + p_evt->len);
if ((NFC_GetNCIVersion() == NCI_VERSION_2_0) &&
@@ -1888,7 +1888,7 @@
}
if ((NFC_GetNCIVersion() == NCI_VERSION_2_0) &&
(p_cb->act_protocol == NCI_PROTOCOL_T5T)) {
- if (p_evt->len) p_evt->len--;
+ p_evt->len--;
p = (uint8_t*)(p_evt + 1);
data_cevt.status = *(p + p_evt->offset + p_evt->len);
}