evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: camera: fix off-by-one overflow in msm_isp_get_bufq

Browse source 
In msm_isp_get_bufq, if bufq_index == buf_mgr->num_buf_q,
it will pass the check, leading to off-by-one overflow
(exceed the length of array by one element).

CRs-Fixed: 2031677
Change-Id: I7ea465897e2c37de6ca0155c3e225f1444b3cf13
Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
This commit is contained in:
Gaoxiang Chen 2017-05-17 15:14:36 +08:00 committed by Gerrit - the friendly Code Review server
parent 14f6bfeeeb
commit a476e30e30
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
View file

@ -86,7 +86,7 @@ struct msm_isp_bufq *msm_isp_get_bufq(
/* bufq_handle cannot be 0 */ /* bufq_handle cannot be 0 */
if ((bufq_handle == 0) || if ((bufq_handle == 0) ||
bufq_index >= BUF_MGR_NUM_BUF_Q || bufq_index >= BUF_MGR_NUM_BUF_Q ||
(bufq_index > buf_mgr->num_buf_q)) (bufq_index >= buf_mgr->num_buf_q))
return NULL; return NULL;
bufq = &buf_mgr->bufq[bufq_index]; bufq = &buf_mgr->bufq[bufq_index];