projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 94e23b6)
[media] atomisp2: off by one in atomisp_s_input()
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 26 May 2017 15:28:05 +0000 (12:28 -0300)
committerMauro Carvalho Chehab <mchehab@s-opensource.com>
Wed, 7 Jun 2017 15:42:03 +0000 (12:42 -0300)
The isp->inputs[] array has isp->input_cnt elements which have been
initialized so this > should be >=.

This bug is harmless.  The check against ATOM_ISP_MAX_INPUTS prevents us
from reading beyond the end of the array.  The uninitialized elements
are zeroed out so we will end up returning -EINVAL a few lines later
because the .camera pointer is NULL.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
drivers/staging/media/atomisp/pci/atomisp2/atomisp_ioctl.c patch | blob | blame | history

diff --git a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_ioctl.c
index 6064bb823a47a787e4fc3a3a82c1e95176a97cc6..aa0526ebaff144b7c15f6e28f5877ba9f935df58 100644 (file)
--- a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_ioctl.c
+++ b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_ioctl.c
@@ -683,7 +683,7 @@ static int atomisp_s_input(struct file *file, void *fh, unsigned int input)
        int ret;
 
        rt_mutex_lock(&isp->mutex);
-       if (input >= ATOM_ISP_MAX_INPUTS || input > isp->input_cnt) {
+       if (input >= ATOM_ISP_MAX_INPUTS || input >= isp->input_cnt) {
                dev_dbg(isp->dev, "input_cnt: %d\n", isp->input_cnt);
                ret = -EINVAL;
                goto error;