Fix native crash in nfc_ncif_proc_activate

The destination of memcpy is allocated with a predetermined maximum length, but in some cases the length of information being copied is greater than the maximum length of the destination. This is the root cause of crash. Add length check before memcpy to avoid memory overflow Test: Repeat reading and writing tag Bug: 33434992 Bug: 32688507 Change-Id: I09ee3c734e9be38a35b1d48679d74e42e0432d78 (cherry picked from commit 09cb3b3dc46c8bab51346a4163b130857d806418)
author: fang.x.chen <fang.x.chen@sonymobile.com> 2016-11-07 12:31:10 +0900
committer: gitbuildkicker <android-build@google.com> 2017-01-24 14:42:25 -0800
commit: 8e1e806945c04bca625071feb15337080258e0dd (patch)
tree: c2c62da97561c1ce9903cfaefa20d91f3d717d3b
parent: 923afa2d760c1ea97f04f89c641ad6d32824e888 (diff)
download: libnfc-nci-8e1e806945c04bca625071feb15337080258e0dd.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index 99ad256..2e2c14f 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -839,6 +839,8 @@ void nfc_ncif_proc_activate (UINT8 *p, UINT8 len)
                 pp++;   /* TC */
             }
             p_pa_iso->his_byte_len  = (UINT8) (p_pa_iso->ats_res_len - (pp - p_pa_iso->ats_res));
+            if (p_pa_iso->his_byte_len > NFC_MAX_HIS_BYTES_LEN)
+                p_pa_iso->his_byte_len = NFC_MAX_HIS_BYTES_LEN;
             memcpy (p_pa_iso->his_byte,  pp, p_pa_iso->his_byte_len);
             break;
author	fang.x.chen <fang.x.chen@sonymobile.com>	2016-11-07 12:31:10 +0900
committer	gitbuildkicker <android-build@google.com>	2017-01-24 14:42:25 -0800
commit	8e1e806945c04bca625071feb15337080258e0dd (patch)
tree	c2c62da97561c1ce9903cfaefa20d91f3d717d3b
parent	923afa2d760c1ea97f04f89c641ad6d32824e888 (diff)
download	libnfc-nci-8e1e806945c04bca625071feb15337080258e0dd.tar.gz