DO NOT MERGE - Merge QQ2A.200405.005 into master am: f467291975
Change-Id: I222f321ea6c35ccc540a32973f87d4a8eba8d199
diff --git a/src/nfc/tags/ce_t4t.cc b/src/nfc/tags/ce_t4t.cc
index ba646e4..5f80587 100644
--- a/src/nfc/tags/ce_t4t.cc
+++ b/src/nfc/tags/ce_t4t.cc
@@ -649,6 +649,13 @@
if (instruct == T4T_CMD_INS_SELECT) {
/* P1 Byte is already parsed */
if (select_type == T4T_CMD_P1_SELECT_BY_FILE_ID) {
+ /* CLA+INS+P1+P2+Lc+FILE_ID = T4T_CMD_MAX_HDR_SIZE + T4T_FILE_ID_SIZE */
+ if (p_c_apdu->len < (T4T_CMD_MAX_HDR_SIZE + T4T_FILE_ID_SIZE)) {
+ LOG(ERROR) << "Wrong length";
+ GKI_freebuf(p_c_apdu);
+ ce_t4t_send_status(T4T_RSP_WRONG_LENGTH);
+ return;
+ }
ce_t4t_process_select_file_cmd(p_cmd);
} else {
LOG(ERROR) << StringPrintf("CET4T: Bad P1 byte (0x%02X)", select_type);
diff --git a/src/nfc/tags/rw_t4t.cc b/src/nfc/tags/rw_t4t.cc
index 92ff5d9..b7b6144 100644
--- a/src/nfc/tags/rw_t4t.cc
+++ b/src/nfc/tags/rw_t4t.cc
@@ -2116,7 +2116,8 @@
status = false;
if (option == RW_T4T_CHK_EMPTY_I_BLOCK) {
/* use empty I block for presence check */
- p_data = (NFC_HDR*)GKI_getbuf(NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE);
+ p_data = (NFC_HDR*)GKI_getbuf(sizeof(NFC_HDR) + NCI_MSG_OFFSET_SIZE +
+ NCI_DATA_HDR_SIZE);
if (p_data != nullptr) {
p_data->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
p_data->len = 0;