This change fixes a potential OOB access issue due to culprit checking. CRs-Fixed: 3851339 Change-Id: I5a8b8977f815376eeb41a4a227df6e307c7bd99d Signed-off-by: Haochen Yang <[email protected]>
@@ -202,7 +202,7 @@ static int cam_jpeg_add_command_buffers(struct cam_packet *packet,
cmd_buf_kaddr = (uint32_t *)kaddr;
- if ((cmd_desc[i].offset / sizeof(uint32_t)) >= len) {
+ if (cmd_desc[i].offset >= len) {
CAM_ERR(CAM_JPEG, "Invalid offset: %u cmd buf len: %zu",
cmd_desc[i].offset, len);
cam_mem_put_cpu_buf(cmd_desc[i].mem_handle);
Haochen Yang