From af787fdedeb62964efaf9e969ad17e3b6c232082 Mon Sep 17 00:00:00 2001 From: Gaoxiang Chen Date: Wed, 17 May 2017 15:14:36 +0800 Subject: msm: camera: fix off-by-one overflow in msm_isp_get_bufq In msm_isp_get_bufq, if bufq_index equals buf_mgr->num_buf_q, it will pass the check, leading to off-by-one overflow (exceed the length of array by one element). CRs-Fixed: 2031677 Bug: 36136563 Change-Id: I7ea465897e2c37de6ca0155c3e225f1444b3cf13 Signed-off-by: Gaoxiang Chen --- drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c index ee65528..433d59c 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c @@ -46,7 +46,7 @@ struct msm_isp_bufq *msm_isp_get_bufq( /* bufq_handle cannot be 0 */ if ((bufq_handle == 0) || - (bufq_index > buf_mgr->num_buf_q)) + (bufq_index >= buf_mgr->num_buf_q)) return NULL; bufq = &buf_mgr->bufq[bufq_index]; -- cgit v1.1