Add cross-validation to IccCardStatusResponse

Verify that the card app indices are within the range
of the number of provided apps.

Bug: 62459080
Test: none

Change-Id: I07a89b440ebfbe5a00a1b493527506a573b7d09a
(cherry picked from commit 402dc021f7d80212fb7c3f9cb7349252e4ce4312)

1 files changed, 5 insertions, 2 deletions

diff --git a/libril/ril_service.cpp b/libril/ril_service.cpp
index a2bede4..868431c 100644
--- a/libril/ril_service.cpp
+++ b/libril/ril_service.cpp
@@ -2909,11 +2909,14 @@ int radio::getIccCardStatusResponse(int slotId,
         RadioResponseInfo responseInfo = {};
         populateResponseInfo(responseInfo, serial, responseType, e);
         CardStatus cardStatus = {};
-        if (response == NULL || responseLen != sizeof(RIL_CardStatus_v6)) {
+        RIL_CardStatus_v6 *p_cur = ((RIL_CardStatus_v6 *) response);
+        if (response == NULL || responseLen != sizeof(RIL_CardStatus_v6)
+                || p_cur->gsm_umts_subscription_app_index >= p_cur->num_applications
+                || p_cur->cdma_subscription_app_index >= p_cur->num_applications
+                || p_cur->ims_subscription_app_index >= p_cur->num_applications) {
             RLOGE("getIccCardStatusResponse: Invalid response");
             if (e == RIL_E_SUCCESS) responseInfo.error = RadioError::INVALID_RESPONSE;
         } else {
-            RIL_CardStatus_v6 *p_cur = ((RIL_CardStatus_v6 *) response);
             cardStatus.cardState = (CardState) p_cur->card_state;
             cardStatus.universalPinState = (PinState) p_cur->universal_pin_state;
             cardStatus.gsmUmtsSubscriptionAppIndex = p_cur->gsm_umts_subscription_app_index;