Prevent OOB error in rw_i93_sm_detect_ndef() am: 9939edeb9f am: 2ee2f756d0
am: d4921e738b
Change-Id: I4199f067eac626944f60e931183a62eb1d6946cf
(cherry picked from commit 8909dbdece1c98e21c2190fe968013e0dc50f347)
diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
index 42a9c1c..fabfc10 100644
--- a/src/nfc/tags/rw_i93.cc
+++ b/src/nfc/tags/rw_i93.cc
@@ -22,6 +22,7 @@
* mode.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include <android-base/stringprintf.h>
@@ -1603,6 +1604,11 @@
"sub_state:%s (0x%x)",
rw_i93_get_sub_state_name(p_i93->sub_state).c_str(), p_i93->sub_state);
+ if (length == 0) {
+ android_errorWriteLog(0x534e4554, "121260197");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
STREAM_TO_UINT8(flags, p);
length--;
@@ -1622,6 +1628,11 @@
switch (p_i93->sub_state) {
case RW_I93_SUBSTATE_WAIT_UID:
+ if (length < (I93_UID_BYTE_LEN + 1)) {
+ android_errorWriteLog(0x534e4554, "121260197");
+ rw_i93_handle_error(NFC_STATUS_FAILED);
+ return;
+ }
STREAM_TO_UINT8(u8, p); /* DSFID */
p_uid = p_i93->uid;
STREAM_TO_ARRAY8(p_uid, p);