From 38d7c3d2c8f61daa8f08201dc44d87018f8341d9 Mon Sep 17 00:00:00 2001 From: "fang.x.chen" Date: Mon, 7 Nov 2016 12:31:10 +0900 Subject: Fix native crash in nfc_ncif_proc_activate The destination of memcpy is allocated with a predetermined maximum length, but in some cases the length of information being copied is greater than the maximum length of the destination. This is the root cause of crash. Add length check before memcpy to avoid memory overflow Test: Repeat reading and writing tag Bug: 33434992 Bug: 32688507 Change-Id: I09ee3c734e9be38a35b1d48679d74e42e0432d78 (cherry picked from commit 09cb3b3dc46c8bab51346a4163b130857d806418) --- src/nfc/nfc/nfc_ncif.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c index 99ad256..2e2c14f 100644 --- a/src/nfc/nfc/nfc_ncif.c +++ b/src/nfc/nfc/nfc_ncif.c @@ -839,6 +839,8 @@ void nfc_ncif_proc_activate (UINT8 *p, UINT8 len) pp++; /* TC */ } p_pa_iso->his_byte_len = (UINT8) (p_pa_iso->ats_res_len - (pp - p_pa_iso->ats_res)); + if (p_pa_iso->his_byte_len > NFC_MAX_HIS_BYTES_LEN) + p_pa_iso->his_byte_len = NFC_MAX_HIS_BYTES_LEN; memcpy (p_pa_iso->his_byte, pp, p_pa_iso->his_byte_len); break; -- cgit v1.2.3