Prevent OOB access in Ndef read Bug: 145520471 Test: read ndef Change-Id: I21ad56d317c6673fe2cc5411dd7c7b310180f1aa (cherry picked from commit 18e850861dd05ecb4a8b0f05286515a636cf0836)

commit: ca2f591f90ddfda6c9f4d9d19d751a34e9704f13 [log] [tgz]
author: Jack Yu <jackcwyu@google.com> Wed Mar 04 21:35:16 2020 +0800
committer: Jack Yu <jackcwyu@google.com> Tue Mar 24 04:16:39 2020 +0000
tree: e13e6537469db8bb95e4180d2643d4cbfb8666ef
parent: a705221ae525ec5d1935659db2daf4ff886fb818 [diff]
diff --git a/src/nfc/ndef/ndef_utils.cc b/src/nfc/ndef/ndef_utils.cc
index 128cb69..6a95ebe 100644
--- a/src/nfc/ndef/ndef_utils.cc
+++ b/src/nfc/ndef/ndef_utils.cc

@@ -198,6 +198,10 @@
     }
 
     /* Check for OOB */
+    if (payload_len + type_len + id_len < payload_len ||
+        payload_len + type_len + id_len > msg_len) {
+      return (NDEF_MSG_LENGTH_MISMATCH);
+    }
     p_new = p_rec + (payload_len + type_len + id_len);
     if (p_rec > p_new || p_end < p_new) {
         android_errorWriteLog(0x534e4554, "126200054");
commit	ca2f591f90ddfda6c9f4d9d19d751a34e9704f13	[log] [tgz]
author	Jack Yu <jackcwyu@google.com>	Wed Mar 04 21:35:16 2020 +0800
committer	Jack Yu <jackcwyu@google.com>	Tue Mar 24 04:16:39 2020 +0000
tree	e13e6537469db8bb95e4180d2643d4cbfb8666ef
parent	a705221ae525ec5d1935659db2daf4ff886fb818 [diff]