Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

am 0aa1017f: Prevent allocation overflows by corrupt NDEF records.

Browse Source 
* commit '0aa1017f9183bca752c95af72f73120e102ab2d3':
  Prevent allocation overflows by corrupt NDEF records.
This commit is contained in:
Martijn Coenen
2011-06-01 09:51:15 -07:00
committed by Android Git Automerger
parent c841001750 0aa1017f91
commit ed1c8d7dc0
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
core/jni/android_nfc_NdefMessage.cpp
View File

@@ -102,6 +102,19 @@ static jint android_nfc_NdefMessage_parseNdefMessage(JNIEnv *e, jobject o,
}
TRACE("phFriNfc_NdefRecord_Parse() returned 0x%04x", status);
// We don't exactly know what *is* a valid length, but a simple
// sanity check is to make sure that the length of the header
// plus all fields does not exceed raw_msg_size. The min length
// of the header is 3 bytes: TNF, Type Length, Payload Length
// (ID length field is optional!)
uint64_t indicatedMsgLength = 3 + record.TypeLength + record.IdLength +
(uint64_t)record.PayloadLength;
if (indicatedMsgLength >
(uint64_t)raw_msg_size) {
LOGE("phFri_NdefRecord_Parse: invalid length field");
goto end;
}
type = e->NewByteArray(record.TypeLength);
if (type == NULL) {
LOGD("NFC_Set Record Type Error\n");