msm: camera: jpeg: Fix potential OOB access

This change fixes a potential OOB access issue due to culprit checking. CRs-Fixed: 3851339 Change-Id: I5a8b8977f815376eeb41a4a227df6e307c7bd99d Signed-off-by: Haochen Yang <quic_haocyang@quicinc.com>
2024-06-27 17:14:22 -07:00
commit 37c2bd7cb9
--- a/drivers/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.c
+++ b/drivers/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.c
@@ -202,7 +202,7 @@ static int cam_jpeg_add_command_buffers(struct cam_packet *packet,

 			cmd_buf_kaddr = (uint32_t *)kaddr;

-			if ((cmd_desc[i].offset / sizeof(uint32_t)) >= len) {
+			if (cmd_desc[i].offset >= len) {
 				CAM_ERR(CAM_JPEG, "Invalid offset: %u cmd buf len: %zu",
 					cmd_desc[i].offset, len);
 				cam_mem_put_cpu_buf(cmd_desc[i].mem_handle);