msm: ais: fix off-by-one overflow in msm_isp_get_bufq

In msm_isp_get_bufq, if bufq_index == buf_mgr->num_buf_q, it will pass the check, leading to off-by-one overflow (exceed the length of array by one element). Change-Id: Iccf02b68314e770ad9fae41973cad6ff7700b822 Signed-off-by: E V Ravi <evenka@codeaurora.org>
author: E V Ravi <evenka@codeaurora.org> 2018-11-16 18:07:51 +0530
committer: E V Ravi <evenka@codeaurora.org> 2018-11-16 18:13:51 +0530
commit: 77d8951c4e74d1535be2680e35e2b9f210d2f0aa (patch)
tree: f0c5c0798486a7766cd914088cbe1cedcc3225d2
parent: 23d37eecf80f7b08fde9a8f3d888855f9b08ca21 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/platform/msm/ais/isp/msm_buf_mgr.c b/drivers/media/platform/msm/ais/isp/msm_buf_mgr.c
index c23fddf6e52f..0ce3b63bcc3d 100644
--- a/drivers/media/platform/msm/ais/isp/msm_buf_mgr.c
+++ b/drivers/media/platform/msm/ais/isp/msm_buf_mgr.c
@@ -86,7 +86,7 @@ static struct msm_isp_bufq *msm_isp_get_bufq(
 	/* bufq_handle cannot be 0 */
 	if ((bufq_handle == 0) ||
 		bufq_index >= BUF_MGR_NUM_BUF_Q ||
-		(bufq_index > buf_mgr->num_buf_q))
+		(bufq_index >= buf_mgr->num_buf_q))
 		return NULL;
 
 	bufq = &buf_mgr->bufq[bufq_index];
author	E V Ravi <evenka@codeaurora.org>	2018-11-16 18:07:51 +0530
committer	E V Ravi <evenka@codeaurora.org>	2018-11-16 18:13:51 +0530
commit	77d8951c4e74d1535be2680e35e2b9f210d2f0aa (patch)
tree	f0c5c0798486a7766cd914088cbe1cedcc3225d2
parent	23d37eecf80f7b08fde9a8f3d888855f9b08ca21 (diff)