diff options
author | Gaoxiang Chen <gaochen@codeaurora.org> | 2017-05-17 15:14:36 +0800 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-09-12 23:18:38 -0700 |
commit | a476e30e307b213086a8716fdaafe7fccdb74b35 (patch) | |
tree | ec0cfc02b9127912f6914c76831a5fcdc9a0515d /drivers/media | |
parent | 14f6bfeeebb97c02cbf0c43818f7998e3bdb3cae (diff) |
msm: camera: fix off-by-one overflow in msm_isp_get_bufq
In msm_isp_get_bufq, if bufq_index == buf_mgr->num_buf_q,
it will pass the check, leading to off-by-one overflow
(exceed the length of array by one element).
CRs-Fixed: 2031677
Change-Id: I7ea465897e2c37de6ca0155c3e225f1444b3cf13
Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
Diffstat (limited to 'drivers/media')
-rw-r--r-- | drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c index 8f3cffb4c3da..eab56b70e646 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c @@ -86,7 +86,7 @@ struct msm_isp_bufq *msm_isp_get_bufq( /* bufq_handle cannot be 0 */ if ((bufq_handle == 0) || bufq_index >= BUF_MGR_NUM_BUF_Q || - (bufq_index > buf_mgr->num_buf_q)) + (bufq_index >= buf_mgr->num_buf_q)) return NULL; bufq = &buf_mgr->bufq[bufq_index]; |