Potential OOB read in nfc_ncif_proc_ee_action

Bug: 157649306
Test: build ok
Change-Id: I0f79b50a46bb7b03e08f25f5cfb8d6e7d38e8795
diff --git a/src/nfc/nfc/nfc_ncif.cc b/src/nfc/nfc/nfc_ncif.cc
index 489b84f..d76ccf3b 100644
--- a/src/nfc/nfc/nfc_ncif.cc
+++ b/src/nfc/nfc/nfc_ncif.cc
@@ -1426,16 +1426,26 @@
 void nfc_ncif_proc_ee_action(uint8_t* p, uint16_t plen) {
  tNFC_EE_ACTION_REVT evt_data;
  tNFC_RESPONSE_CBACK* p_cback = nfc_cb.p_resp_cback;
+ tNFC_RESPONSE nfc_response;
  uint8_t data_len, ulen, tag, *p_data;
  uint8_t max_len;
 
  if (p_cback) {
   memset(&evt_data.act_data, 0, sizeof(tNFC_ACTION_DATA));
+  if (plen > 3) {
+   plen -= 3;
+  } else {
+   evt_data.status = NFC_STATUS_FAILED;
+   evt_data.nfcee_id = 0;
+   nfc_response.ee_action = evt_data;
+   (*p_cback)(NFC_EE_ACTION_REVT, &nfc_response);
+   android_errorWriteLog(0x534e4554, "157649306");
+   return;
+  }
   evt_data.status = NFC_STATUS_OK;
   evt_data.nfcee_id = *p++;
   evt_data.act_data.trigger = *p++;
   data_len = *p++;
-  if (plen >= 3) plen -= 3;
   if (data_len > plen) data_len = (uint8_t)plen;
 
   switch (evt_data.act_data.trigger) {
@@ -1478,7 +1488,6 @@
     }
     break;
   }
-  tNFC_RESPONSE nfc_response;
   nfc_response.ee_action = evt_data;
   (*p_cback)(NFC_EE_ACTION_REVT, &nfc_response);
  }