commit a705221ae525ec5d1935659db2daf4ff886fb818
author George Chang <georgekgchang@google.com> Thu Feb 13 11:25:37 2020 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Thu Feb 13 11:25:37 2020 +0000
tree 3286a222ddf6b6b52972d00d15e5609ef23b3d6d
parent 734e0a137925444f9ba5e02f743770debb034f1c
parent 320e762a3da100b9f3fa17d0ae1b4a6641bdcce8

Merge "Prevent OOB read in ce_t4t_process_select_file_cmd" into qt-qpr1-dev

src/nfc/tags/rw_t2t_ndef.cc

diff --git a/src/nfc/tags/rw_t2t_ndef.cc b/src/nfc/tags/rw_t2t_ndef.cc
index d0edf39..ad98228 100644
--- a/src/nfc/tags/rw_t2t_ndef.cc
+++ b/src/nfc/tags/rw_t2t_ndef.cc
@@ -620,10 +620,19 @@
                     p_t2t->tlv_value[0] & 0x0F;
                 p_t2t->lock_tlv[p_t2t->num_lock_tlvs].bytes_locked_per_bit =
                     (uint8_t)tags_pow(2, ((p_t2t->tlv_value[2] & 0xF0) >> 4));
-                p_t2t->lock_tlv[p_t2t->num_lock_tlvs].num_bits =
-                    p_t2t->tlv_value[1];
-                count = p_t2t->tlv_value[1] / 8 +
-                        ((p_t2t->tlv_value[1] % 8 != 0) ? 1 : 0);
+                /* Note: 0 value in DLA_NbrLockBits means 256 */
+                count = p_t2t->tlv_value[1];
+                /* Set it to max value that can be stored in lockbytes */
+                if (count == 0) {
+#if RW_T2T_MAX_LOCK_BYTES > 0x1F
+                  count = UCHAR_MAX;
+#else
+                  count = RW_T2T_MAX_LOCK_BYTES * TAG_BITS_PER_BYTE;
+#endif
+                }
+                p_t2t->lock_tlv[p_t2t->num_lock_tlvs].num_bits = count;
+                count = count / TAG_BITS_PER_BYTE +
+                        ((count % TAG_BITS_PER_BYTE != 0) ? 1 : 0);
 
                 /* Extract lockbytes info addressed by this Lock TLV */
                 xx = 0;
@@ -861,6 +870,14 @@
         bytes_locked_per_lock_bit;
     num_dynamic_lock_bytes = num_dynamic_lock_bits / 8;
     num_dynamic_lock_bytes += (num_dynamic_lock_bits % 8 == 0) ? 0 : 1;
+    if (num_dynamic_lock_bytes > RW_T2T_MAX_LOCK_BYTES) {
+      LOG(ERROR) << StringPrintf(
+          "rw_t2t_extract_default_locks_info - buffer size: %u less than "
+          "DynLock area sise: %u",
+          RW_T2T_MAX_LOCK_BYTES, num_dynamic_lock_bytes);
+      num_dynamic_lock_bytes = RW_T2T_MAX_LOCK_BYTES;
+      android_errorWriteLog(0x534e4554, "147310721");
+    }
 
     p_t2t->lock_tlv[p_t2t->num_lock_tlvs].offset =
         (p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] * T2T_TMS_TAG_FACTOR) +
@@ -2256,7 +2273,8 @@
           if (p_t2t->lockbyte[num_dyn_lock_bytes].lock_byte &
               rw_t2t_mask_bits[xx]) {
             /* If the bit is set then it is locked */
-            p_t2t->lock_attr[block_count] |= 0x01 << bits_covered;
+            if (block_count < RW_T2T_SEGMENT_SIZE)
+              p_t2t->lock_attr[block_count] |= 0x01 << bits_covered;
           }
           bytes_covered++;
           bits_covered++;

src/nfc/tags/rw_t4t.cc

diff --git a/src/nfc/tags/rw_t4t.cc b/src/nfc/tags/rw_t4t.cc
index 92ff5d9..b7b6144 100644
--- a/src/nfc/tags/rw_t4t.cc
+++ b/src/nfc/tags/rw_t4t.cc
@@ -2116,7 +2116,8 @@
     status = false;
     if (option == RW_T4T_CHK_EMPTY_I_BLOCK) {
       /* use empty I block for presence check */
-      p_data = (NFC_HDR*)GKI_getbuf(NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE);
+      p_data = (NFC_HDR*)GKI_getbuf(sizeof(NFC_HDR) + NCI_MSG_OFFSET_SIZE +
+                                    NCI_DATA_HDR_SIZE);
       if (p_data != nullptr) {
         p_data->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
         p_data->len = 0;