From 2dab9de1da3d4501d166f2c7ca2be9df951c8763 Mon Sep 17 00:00:00 2001
From: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>
Date: Mon, 14 Nov 2016 18:46:12 -0800
Subject: msm: camera: fix bound check of offset to avoid overread overwrite

fix bound check of hw_cmd_p->offset in msm_jpeg_hw_exec_cmds
to avoid overread overwrite.

CRs-Fixed: 1088824

Change-Id: Ifaa4b5387d4285ddce16d8e745aa0500c64c568b
Signed-off-by: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
index 071ce0a41ed9..e40869d41a5d 100644
--- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
+++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
@@ -847,7 +847,7 @@ int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, uint32_t m_cmds,
 	uint32_t data;
 
 	while (m_cmds--) {
-		if (hw_cmd_p->offset > max_size) {
+		if (hw_cmd_p->offset >= max_size) {
 			JPEG_PR_ERR("%s:%d] %d exceed hw region %d\n", __func__,
 				__LINE__, hw_cmd_p->offset, max_size);
 			return -EFAULT;
-- 
cgit v1.2.3