Prevent integer underflow in rw_t2t_handle_tlv_detect_rsp()
Bug: 121035711
Test: NFC Enable/Disable
Change-Id: Ifa3e5fdf23f267a0d6c3aa8495c4c83f20153025
(cherry picked from commit 83439b5ca03c9a52ddbf9d9a033c18d9e456a97b)
diff --git a/src/nfc/tags/rw_t2t_ndef.cc b/src/nfc/tags/rw_t2t_ndef.cc
index 03d205e..c18c685 100644
--- a/src/nfc/tags/rw_t2t_ndef.cc
+++ b/src/nfc/tags/rw_t2t_ndef.cc
@@ -594,7 +594,12 @@
break;
case TAG_LOCK_CTRL_TLV:
- p_t2t->bytes_count--;
+ if (p_t2t->bytes_count > 0) {
+ p_t2t->bytes_count--;
+ } else {
+ LOG(ERROR) << StringPrintf("Underflow p_t2t->bytes_count!");
+ android_errorWriteLog(0x534e4554, "120506143");
+ }
if ((tlvtype == TAG_LOCK_CTRL_TLV) || (tlvtype == TAG_NDEF_TLV)) {
/* Collect Lock TLV */
p_t2t->tlv_value[2 - p_t2t->bytes_count] = p_data[offset];
@@ -642,7 +647,12 @@
break;
case TAG_MEM_CTRL_TLV:
- p_t2t->bytes_count--;
+ if (p_t2t->bytes_count > 0) {
+ p_t2t->bytes_count--;
+ } else {
+ LOG(ERROR) << StringPrintf("bytes_count underflow!");
+ android_errorWriteLog(0x534e4554, "120506143");
+ }
if ((tlvtype == TAG_MEM_CTRL_TLV) || (tlvtype == TAG_NDEF_TLV)) {
p_t2t->tlv_value[2 - p_t2t->bytes_count] = p_data[offset];
if (p_t2t->bytes_count == 0) {
@@ -674,7 +684,12 @@
break;
case TAG_PROPRIETARY_TLV:
- p_t2t->bytes_count--;
+ if (p_t2t->bytes_count > 0) {
+ p_t2t->bytes_count--;
+ } else {
+ LOG(ERROR) << StringPrintf("bytes_count underflow!");
+ android_errorWriteLog(0x534e4554, "120506143");
+ }
if (tlvtype == TAG_PROPRIETARY_TLV) {
found = true;
p_t2t->prop_msg_len = len;