Prevent OOB error in nfc_ncif_proc_get_routing()
Test: Tag reading; Card Emulation
Bug: 117554809
Change-Id: Ib49af2eadf870f030a6cddeec390dc498bd5078c
(cherry picked from commit ded496ea745656018dda505c23726b4304180c38)
diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc
index 93666e0..6d6607d 100644
--- a/src/nfc/nfc/nfc_ncif.cc
+++ b/src/nfc/nfc/nfc_ncif.cc
@@ -25,6 +25,7 @@
******************************************************************************/
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include <metricslogger/metrics_logger.h>
#include "nfc_target.h"
@@ -1235,8 +1236,13 @@
for (yy = 0; yy < evt_data.num_tlvs; yy++) {
tl = *(p + 1);
tl += NFC_TL_SIZE;
- STREAM_TO_ARRAY(pn, p, tl);
evt_data.tlv_size += tl;
+ if (evt_data.tlv_size > NFC_MAX_EE_TLV_SIZE) {
+ android_errorWriteLog(0x534e4554, "117554809");
+ LOG(ERROR) << __func__ << "Invalid data format";
+ return;
+ }
+ STREAM_TO_ARRAY(pn, p, tl);
pn += tl;
}
tNFC_RESPONSE nfc_response;