Prevent OOB access in Ndef read
Bug: 145520471
Test: read ndef
Change-Id: I21ad56d317c6673fe2cc5411dd7c7b310180f1aa
(cherry picked from commit 18e850861dd05ecb4a8b0f05286515a636cf0836)
diff --git a/src/nfc/ndef/ndef_utils.cc b/src/nfc/ndef/ndef_utils.cc
index 128cb69..6a95ebe 100644
--- a/src/nfc/ndef/ndef_utils.cc
+++ b/src/nfc/ndef/ndef_utils.cc
@@ -198,6 +198,10 @@
}
/* Check for OOB */
+ if (payload_len + type_len + id_len < payload_len ||
+ payload_len + type_len + id_len > msg_len) {
+ return (NDEF_MSG_LENGTH_MISMATCH);
+ }
p_new = p_rec + (payload_len + type_len + id_len);
if (p_rec > p_new || p_end < p_new) {
android_errorWriteLog(0x534e4554, "126200054");