From 77d8951c4e74d1535be2680e35e2b9f210d2f0aa Mon Sep 17 00:00:00 2001 From: E V Ravi Date: Fri, 16 Nov 2018 18:07:51 +0530 Subject: [PATCH] msm: ais: fix off-by-one overflow in msm_isp_get_bufq In msm_isp_get_bufq, if bufq_index == buf_mgr->num_buf_q, it will pass the check, leading to off-by-one overflow (exceed the length of array by one element). Change-Id: Iccf02b68314e770ad9fae41973cad6ff7700b822 Signed-off-by: E V Ravi --- drivers/media/platform/msm/ais/isp/msm_buf_mgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/msm/ais/isp/msm_buf_mgr.c b/drivers/media/platform/msm/ais/isp/msm_buf_mgr.c index c23fddf6e52f..0ce3b63bcc3d 100644 --- a/drivers/media/platform/msm/ais/isp/msm_buf_mgr.c +++ b/drivers/media/platform/msm/ais/isp/msm_buf_mgr.c @@ -86,7 +86,7 @@ static struct msm_isp_bufq *msm_isp_get_bufq( /* bufq_handle cannot be 0 */ if ((bufq_handle == 0) || bufq_index >= BUF_MGR_NUM_BUF_Q || - (bufq_index > buf_mgr->num_buf_q)) + (bufq_index >= buf_mgr->num_buf_q)) return NULL; bufq = &buf_mgr->bufq[bufq_index];