Fix native crash in nfc_ncif_proc_activateandroid-7.1.2_r9android-7.1.2_r8android-7.1.2_r6android-7.1.2_r5android-7.1.2_r4android-7.1.2_r36android-7.1.2_r33android-7.1.2_r32android-7.1.2_r30android-7.1.2_r3android-7.1.2_r29android-7.1.2_r28android-7.1.2_r27android-7.1.2_r25android-7.1.2_r24android-7.1.2_r23android-7.1.2_r2android-7.1.2_r19android-7.1.2_r18android-7.1.2_r17android-7.1.2_r16android-7.1.2_r15android-7.1.2_r14android-7.1.2_r13android-7.1.2_r12android-7.1.2_r11android-7.1.2_r10android-7.1.2_r1nougat-mr2.3-releasenougat-mr2.2-releasenougat-mr2.1-releasenougat-mr2-releasenougat-mr2-pixel-release

The destination of memcpy is allocated with a predetermined maximum
length, but in some cases the length of information being copied is
greater than the maximum length of the destination.
This is the root cause of crash.

Add length check before memcpy to avoid memory overflow

Test: Repeat reading and writing tag
Bug: 32688507
Change-Id: I09ee3c734e9be38a35b1d48679d74e42e0432d78

1 files changed, 2 insertions, 0 deletions

diff --git a/src/nfc/nfc/nfc_ncif.c b/src/nfc/nfc/nfc_ncif.c
index 99ad256..2e2c14f 100644
--- a/src/nfc/nfc/nfc_ncif.c
+++ b/src/nfc/nfc/nfc_ncif.c
@@ -839,6 +839,8 @@ void nfc_ncif_proc_activate (UINT8 *p, UINT8 len)
                 pp++;   /* TC */
             }
             p_pa_iso->his_byte_len  = (UINT8) (p_pa_iso->ats_res_len - (pp - p_pa_iso->ats_res));
+            if (p_pa_iso->his_byte_len > NFC_MAX_HIS_BYTES_LEN)
+                p_pa_iso->his_byte_len = NFC_MAX_HIS_BYTES_LEN;
             memcpy (p_pa_iso->his_byte,  pp, p_pa_iso->his_byte_len);
             break;