mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-27 16:39:35 -05:00
202033c013
This adds 3 expat patches for n-asb-2022-09 from https://github.com/syphyr/android_external_expat/commits/cm-14.1 and also applies 2 of them to 15.1 Signed-off-by: Tad <tad@spotco.us>
45 lines
1.9 KiB
Diff
45 lines
1.9 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Alisher Alikhodjaev <alisher@google.com>
|
|
Date: Fri, 18 Mar 2022 17:13:05 -0700
|
|
Subject: [PATCH] OOB read in phNciNfc_RecvMfResp()
|
|
|
|
The size of RspBuff for Mifare shall be at least 2 bytes:
|
|
Mifare Req/Rsp Id + Status
|
|
|
|
Bug: 221852424
|
|
Test: build ok
|
|
Change-Id: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
|
|
(cherry picked from commit f0d86f7fe23499cd4c6631348618463fbc496436)
|
|
Merged-In: I3a1e10997de8d2a7cb8bbb524fc8788aaf97944e
|
|
---
|
|
nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 9 +--------
|
|
1 file changed, 1 insertion(+), 8 deletions(-)
|
|
|
|
diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
|
index d3d78a03..0ee2314d 100755
|
|
--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
|
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
|
|
@@ -1230,7 +1230,7 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
|
|
}
|
|
else
|
|
{
|
|
- if((0 == (RspBuffInfo->wLen))
|
|
+ if(((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) > RspBuffInfo->wLen)
|
|
|| (PH_NCINFC_STATUS_OK != wStatus)
|
|
|| (NULL == (RspBuffInfo->pBuff))
|
|
)
|
|
@@ -1250,13 +1250,6 @@ phNciNfc_RecvMfResp(phNciNfc_Buff_t* RspBuffInfo,
|
|
{
|
|
status = NFCSTATUS_SUCCESS;
|
|
|
|
- if ((PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE) >
|
|
- RspBuffInfo->wLen)
|
|
- {
|
|
- android_errorWriteLog(0x534e4554, "181346550");
|
|
- return NFCSTATUS_FAILED;
|
|
- }
|
|
-
|
|
/* DataLen = TotalRecvdLen - (sizeof(RspId) + sizeof(Status)) */
|
|
wPldDataSize = ((RspBuffInfo->wLen) -
|
|
(PHNCINFC_EXTNID_SIZE + PHNCINFC_EXTNSTATUS_SIZE));
|