summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGeorge Chang <georgekgchang@google.com>2019-07-09 15:46:28 +0800
committermosimchah <mosimchah@gmail.com>2019-10-12 11:40:59 -0400
commitf906f33da5dff7dba433efee5a5b9be87ec757ac (patch)
tree5caed2b1b86df65013c1941531a67a18a3f9db28
parent7fab21a09bb8be65ed4476ba28f35421e174a332 (diff)
Prevent length underflow in NfcTag.cppp9.0
Bug: 124940143 Test: Read Type4B Tag Exempt-From-Owner-Approval: Old Owners are all transferred to another BU Change-Id: Ibdab756410bf55d701875279df3e289dbc9369d6 (cherry picked from commit c7b41a96744e1ac30920991ef1b427acbcde44db)
Diffstat
-rw-r--r--nci/jni/NfcTag.cpp10
1 files changed, 9 insertions, 1 deletions
diff --git a/nci/jni/NfcTag.cpp b/nci/jni/NfcTag.cpp
index d8a42c11..7194d8c0 100644
--- a/nci/jni/NfcTag.cpp
+++ b/nci/jni/NfcTag.cpp
@@ -21,6 +21,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
+#include <log/log.h>
#include <nativehelper/ScopedLocalRef.h>
#include <nativehelper/ScopedPrimitiveArray.h>
@@ -713,7 +714,14 @@ void NfcTag::fillNativeNfcTagMembers3(JNIEnv* e, jclass tag_cls, jobject tag,
DLOG_IF(INFO, nfc_debug_enabled)
<< StringPrintf("%s: tech B; TARGET_TYPE_ISO14443_3B", fn);
len = mTechParams[i].param.pb.sensb_res_len;
- len = len - 4; // subtract 4 bytes for NFCID0 at byte 2 through 5
+ if (len >= NFC_NFCID0_MAX_LEN) {
+ // subtract 4 bytes for NFCID0 at byte 2 through 5
+ len = len - NFC_NFCID0_MAX_LEN;
+ } else {
+ android_errorWriteLog(0x534e4554, "124940143");
+ LOG(ERROR) << StringPrintf("%s: sensb_res_len error", fn);
+ len = 0;
+ }
pollBytes.reset(e->NewByteArray(len));
e->SetByteArrayRegion(pollBytes.get(), 0, len,
(jbyte*)(mTechParams[i].param.pb.sensb_res + 4));
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 00:26:04 +0000