Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eff148d3 authored by Gaoxiang Chen's avatar Gaoxiang Chen Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: fix off-by-one overflow in msm_isp_get_bufq



In msm_isp_get_bufq, if bufq_index equals buf_mgr->num_buf_q,
it will pass the check, leading to off-by-one overflow
(exceed the length of array by one element).

CRs-Fixed: 2031677
Change-Id: I7ea465897e2c37de6ca0155c3e225f1444b3cf13
Signed-off-by: default avatarGaoxiang Chen <gaochen@codeaurora.org>
parent 688bb0a5
Loading
Loading
Loading
Loading
+1 −1
Original line number Diff line number Diff line
@@ -87,7 +87,7 @@ struct msm_isp_bufq *msm_isp_get_bufq(
	/* bufq_handle cannot be 0 */
	if ((bufq_handle == 0) ||
		bufq_index >= BUF_MGR_NUM_BUF_Q ||
		(bufq_index > buf_mgr->num_buf_q))
		(bufq_index >= buf_mgr->num_buf_q))
		return NULL;

	bufq = &buf_mgr->bufq[bufq_index];