Commit 77d8951c authored Nov 16, 2018 by E V Ravi

msm: ais: fix off-by-one overflow in msm_isp_get_bufq



In msm_isp_get_bufq, if bufq_index == buf_mgr->num_buf_q,
it will pass the check, leading to off-by-one overflow
(exceed the length of array by one element).

Change-Id: Iccf02b68314e770ad9fae41973cad6ff7700b822
Signed-off-by: E V Ravi <evenka@codeaurora.org>

parent 23d37eec

drivers/media/platform/msm/ais/isp/msm_buf_mgr.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -86,7 +86,7 @@ static struct msm_isp_bufq *msm_isp_get_bufq(
		/* bufq_handle cannot be 0 */
		if ((bufq_handle == 0) \|\|
		bufq_index >= BUF_MGR_NUM_BUF_Q \|\|
		(bufq_index > buf_mgr->num_buf_q))
		(bufq_index >= buf_mgr->num_buf_q))
		return NULL;

		bufq = &buf_mgr->bufq[bufq_index];