commit c309b35f064c320408a32e45d12b67840a7ecc13
author Xuan Xing <xuanxing@google.com> Thu Nov 14 13:49:38 2019 -0800
committer George Chang <georgekgchang@google.com> Fri Jan 31 12:29:09 2020 +0000
tree 3b0632f54da6216e99e79ab9ef1f3c27d5c7bec4
parent 49a8b7a0a9d9cd19e1f1abae8d0ad0dd571a969c

Fixing a memory issue cuasing fuzzing crashes

Bug: 141331405
Test: Manually verifying the build with various NFC tags
Merged-In: I8070911c91ada3fbf73b59ca21740c71ae964453
Change-Id: I8070911c91ada3fbf73b59ca21740c71ae964453

src/nfc/tags/rw_t4t.cc

diff --git a/src/nfc/tags/rw_t4t.cc b/src/nfc/tags/rw_t4t.cc
index 92ff5d9..b7b6144 100644
--- a/src/nfc/tags/rw_t4t.cc
+++ b/src/nfc/tags/rw_t4t.cc
@@ -2116,7 +2116,8 @@
     status = false;
     if (option == RW_T4T_CHK_EMPTY_I_BLOCK) {
       /* use empty I block for presence check */
-      p_data = (NFC_HDR*)GKI_getbuf(NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE);
+      p_data = (NFC_HDR*)GKI_getbuf(sizeof(NFC_HDR) + NCI_MSG_OFFSET_SIZE +
+                                    NCI_DATA_HDR_SIZE);
       if (p_data != nullptr) {
         p_data->offset = NCI_MSG_OFFSET_SIZE + NCI_DATA_HDR_SIZE;
         p_data->len = 0;