From a476e30e307b213086a8716fdaafe7fccdb74b35 Mon Sep 17 00:00:00 2001
From: Gaoxiang Chen <gaochen@codeaurora.org>
Date: Wed, 17 May 2017 15:14:36 +0800
Subject: [PATCH] msm: camera: fix off-by-one overflow in msm_isp_get_bufq

In msm_isp_get_bufq, if bufq_index == buf_mgr->num_buf_q,
it will pass the check, leading to off-by-one overflow
(exceed the length of array by one element).

CRs-Fixed: 2031677
Change-Id: I7ea465897e2c37de6ca0155c3e225f1444b3cf13
Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
index 8f3cffb4c3da..eab56b70e646 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
@@ -86,7 +86,7 @@ struct msm_isp_bufq *msm_isp_get_bufq(
 	/* bufq_handle cannot be 0 */
 	if ((bufq_handle == 0) ||
 		bufq_index >= BUF_MGR_NUM_BUF_Q ||
-		(bufq_index > buf_mgr->num_buf_q))
+		(bufq_index >= buf_mgr->num_buf_q))
 		return NULL;
 
 	bufq = &buf_mgr->bufq[bufq_index];