mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
|
From af787fdedeb62964efaf9e969ad17e3b6c232082 Mon Sep 17 00:00:00 2001
|
||
|
From: Gaoxiang Chen <gaochen@codeaurora.org>
|
||
|
Date: Wed, 17 May 2017 15:14:36 +0800
|
||
|
Subject: msm: camera: fix off-by-one overflow in msm_isp_get_bufq
|
||
|
|
||
|
In msm_isp_get_bufq, if bufq_index equals buf_mgr->num_buf_q,
|
||
|
it will pass the check, leading to off-by-one overflow
|
||
|
(exceed the length of array by one element).
|
||
|
|
||
|
CRs-Fixed: 2031677
|
||
|
Bug: 36136563
|
||
|
Change-Id: I7ea465897e2c37de6ca0155c3e225f1444b3cf13
|
||
|
Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
|
||
|
---
|
||
|
drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
|
||
|
index ee65528..433d59c 100644
|
||
|
--- a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
|
||
|
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
|
||
|
@@ -46,7 +46,7 @@ struct msm_isp_bufq *msm_isp_get_bufq(
|
||
|
|
||
|
/* bufq_handle cannot be 0 */
|
||
|
if ((bufq_handle == 0) ||
|
||
|
- (bufq_index > buf_mgr->num_buf_q))
|
||
|
+ (bufq_index >= buf_mgr->num_buf_q))
|
||
|
return NULL;
|
||
|
|
||
|
bufq = &buf_mgr->bufq[bufq_index];
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|