Prevent OOB error in rw_i93_sm_update_ndef()

Bug: 122320256 Test: NFC tag reading Change-Id: I6b57b186c8b4c793e05d646286ed8155dc460bf5 (cherry picked from commit 8a433fd5db78b81fcfff78460d2e02c820ddc4cd)
author: Jack Yu <jackcwyu@google.com> 2019-01-30 15:46:03 +0800
committer: JP Sugarbroad <jpsugar@google.com> 2019-02-12 13:10:23 -0800
commit: a0ffb242233247f657a6af3ea26cd5272d20a359 (patch)
tree: 9051b4df1e9d14cbf5847e4d95111d072dc2dbd9
parent: eb7993955684d5dff8c166c6a5c35617f9efca3d (diff)
download: libnfc-nci-a0ffb242233247f657a6af3ea26cd5272d20a359.tar.gz
1 files changed, 23 insertions, 0 deletions
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
index d883d96..4fcf4ac 100644
--- a/src/nfc/tags/rw_i93.c
+++ b/src/nfc/tags/rw_i93.c
@@ -2083,6 +2083,12 @@ void rw_i93_sm_update_ndef (BT_HDR *p_resp)
     RW_TRACE_DEBUG1 ("rw_i93_sm_update_ndef () sub_state:0x%x", p_i93->sub_state);
 #endif
 
+    if (length == 0 || p_i93->block_size > I93_MAX_BLOCK_LENGH) {
+        android_errorWriteLog(0x534e4554, "122320256");
+        rw_i93_handle_error (NFC_STATUS_FAILED);
+        return;
+    }
+
     STREAM_TO_UINT8 (flags, p);
     length--;
 
@@ -2112,6 +2118,12 @@ void rw_i93_sm_update_ndef (BT_HDR *p_resp)
         /* get offset of length field */
         length_offset = (p_i93->ndef_tlv_start_offset + 1) % p_i93->block_size;
 
+        if (length < length_offset) {
+            android_errorWriteLog(0x534e4554, "122320256");
+            rw_i93_handle_error (NFC_STATUS_FAILED);
+            return;
+        }
+
         /* set length to zero */
         *(p + length_offset) = 0x00;
 
@@ -2130,6 +2142,12 @@ void rw_i93_sm_update_ndef (BT_HDR *p_resp)
             /* write the first part of NDEF in the same block */
             for ( ; xx < p_i93->block_size; xx++)
             {
+                if (xx > length || p_i93->rw_length > p_i93->ndef_length) {
+                    android_errorWriteLog(0x534e4554, "122320256");
+                    rw_i93_handle_error (NFC_STATUS_FAILED);
+                    return;
+                }
+
                 if (p_i93->rw_length < p_i93->ndef_length)
                 {
                     *(p + xx) = *(p_i93->p_update_data + p_i93->rw_length++);
@@ -2305,6 +2323,11 @@ void rw_i93_sm_update_ndef (BT_HDR *p_resp)
                 /* update length field within the read block */
                 for (xx = length_offset; xx < p_i93->block_size; xx++)
                 {
+                    if (xx > length) {
+                        android_errorWriteLog(0x534e4554, "122320256");
+                        rw_i93_handle_error (NFC_STATUS_FAILED);
+                        return;
+                    }
                     if (p_i93->rw_length == 3)
                         *(p + xx) = 0xFF;
                     else if (p_i93->rw_length == 2)
author	Jack Yu <jackcwyu@google.com>	2019-01-30 15:46:03 +0800
committer	JP Sugarbroad <jpsugar@google.com>	2019-02-12 13:10:23 -0800
commit	a0ffb242233247f657a6af3ea26cd5272d20a359 (patch)
tree	9051b4df1e9d14cbf5847e4d95111d072dc2dbd9
parent	eb7993955684d5dff8c166c6a5c35617f9efca3d (diff)
download	libnfc-nci-a0ffb242233247f657a6af3ea26cd5272d20a359.tar.gz