diff --git a/SN100x/halimpl/mifare/NxpMfcReader.cc b/SN100x/halimpl/mifare/NxpMfcReader.cc
index 4ed6429..59429a9 100644
--- a/SN100x/halimpl/mifare/NxpMfcReader.cc
+++ b/SN100x/halimpl/mifare/NxpMfcReader.cc
@@ -54,13 +54,13 @@ int NxpMfcReader::Write(uint16_t mfcDataLen, const uint8_t *pMfcData) {
   BuildMfcCmd(&mfcTagCmdBuff[3], &mfcTagCmdBuffLen);
 
   mfcTagCmdBuff[2] = mfcTagCmdBuffLen;
-  mfcDataLen = mfcTagCmdBuffLen + NCI_HEADER_SIZE;
-  int writtenDataLen = phNxpNciHal_write_internal(mfcDataLen, mfcTagCmdBuff);
+  int writtenDataLen = phNxpNciHal_write_internal(
+      mfcTagCmdBuffLen + NCI_HEADER_SIZE, mfcTagCmdBuff);
 
   /* send TAG_CMD part 2 for Mifare increment ,decrement and restore commands */
   if (mfcTagCmdBuff[4] == eMifareDec || mfcTagCmdBuff[4] == eMifareInc ||
       mfcTagCmdBuff[4] == eMifareRestore) {
-    SendIncDecRestoreCmdPart2(pMfcData);
+    SendIncDecRestoreCmdPart2(mfcDataLen, pMfcData);
   }
   return writtenDataLen;
 }
@@ -264,7 +264,8 @@ void NxpMfcReader::AuthForWrite() {
 ** Returns          None
 **
 *******************************************************************************/
-void NxpMfcReader::SendIncDecRestoreCmdPart2(const uint8_t *mfcData) {
+void NxpMfcReader::SendIncDecRestoreCmdPart2(uint16_t mfcDataLen,
+                                             const uint8_t *mfcData) {
   NFCSTATUS status = NFCSTATUS_SUCCESS;
   /* Build TAG_CMD part 2 for Mifare increment ,decrement and restore commands*/
   uint8_t incDecRestorePart2[] = {0x00, 0x00, 0x05, (uint8_t)eMfRawDataXchgHdr,
@@ -272,6 +273,10 @@ void NxpMfcReader::SendIncDecRestoreCmdPart2(const uint8_t *mfcData) {
   uint8_t incDecRestorePart2Size =
       (sizeof(incDecRestorePart2) / sizeof(incDecRestorePart2[0]));
   if (mfcData[3] == eMifareInc || mfcData[3] == eMifareDec) {
+    if (incDecRestorePart2Size >= mfcDataLen) {
+      incDecRestorePart2Size = mfcDataLen - 1;
+      android_errorWriteLog(0x534e4554, "238177877");
+    }
     for (int i = 4; i < incDecRestorePart2Size; i++) {
       incDecRestorePart2[i] = mfcData[i + 1];
     }
diff --git a/SN100x/halimpl/mifare/NxpMfcReader.h b/SN100x/halimpl/mifare/NxpMfcReader.h
index 3b353ba..0792df5 100644
--- a/SN100x/halimpl/mifare/NxpMfcReader.h
+++ b/SN100x/halimpl/mifare/NxpMfcReader.h
@@ -109,7 +109,7 @@ class NxpMfcReader {
   void BuildIncDecCmd();
   void CalcSectorAddress();
   void AuthForWrite();
-  void SendIncDecRestoreCmdPart2(const uint8_t *mfcData);
+  void SendIncDecRestoreCmdPart2(uint16_t mfcDataLen, const uint8_t *mfcData);
 
 public:
   int Write(uint16_t mfcDataLen, const uint8_t *pMfcData);
@@ -117,4 +117,4 @@ class NxpMfcReader {
   NFCSTATUS CheckMfcResponse(uint8_t *pTransceiveData,
                              uint16_t transceiveDataLen);
   static NxpMfcReader &getInstance();
-};
\ No newline at end of file
+};