Prevent OOB access in Ndef read

Bug: 145520471
Test: read ndef
Change-Id: I21ad56d317c6673fe2cc5411dd7c7b310180f1aa
(cherry picked from commit 18e850861dd05ecb4a8b0f05286515a636cf0836)
diff --git a/src/nfc/ndef/ndef_utils.cc b/src/nfc/ndef/ndef_utils.cc
index 128cb69..6a95ebe 100644
--- a/src/nfc/ndef/ndef_utils.cc
+++ b/src/nfc/ndef/ndef_utils.cc
@@ -198,6 +198,10 @@
     }
 
     /* Check for OOB */
+    if (payload_len + type_len + id_len < payload_len ||
+        payload_len + type_len + id_len > msg_len) {
+      return (NDEF_MSG_LENGTH_MISMATCH);
+    }
     p_new = p_rec + (payload_len + type_len + id_len);
     if (p_rec > p_new || p_end < p_new) {
         android_errorWriteLog(0x534e4554, "126200054");