From 9dff81436d4d8aa252233bd146d882aaa04094e3 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 26 May 2017 12:28:05 -0300 Subject: [PATCH] [media] atomisp2: off by one in atomisp_s_input() The isp->inputs[] array has isp->input_cnt elements which have been initialized so this > should be >=. This bug is harmless. The check against ATOM_ISP_MAX_INPUTS prevents us from reading beyond the end of the array. The uninitialized elements are zeroed out so we will end up returning -EINVAL a few lines later because the .camera pointer is NULL. Signed-off-by: Dan Carpenter Signed-off-by: Alan Cox Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- drivers/staging/media/atomisp/pci/atomisp2/atomisp_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_ioctl.c index 6064bb823a47..aa0526ebaff1 100644 --- a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_ioctl.c @@ -683,7 +683,7 @@ static int atomisp_s_input(struct file *file, void *fh, unsigned int input) int ret; rt_mutex_lock(&isp->mutex); - if (input >= ATOM_ISP_MAX_INPUTS || input > isp->input_cnt) { + if (input >= ATOM_ISP_MAX_INPUTS || input >= isp->input_cnt) { dev_dbg(isp->dev, "input_cnt: %d\n", isp->input_cnt); ret = -EINVAL; goto error; -- 2.20.1