summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNaushir Patuck <naush@raspberrypi.com>2021-06-15 15:42:10 +0100
committerLaurent Pinchart <laurent.pinchart@ideasonboard.com>2021-06-22 13:48:01 +0300
commita4b876e97ff718d33e389c718021fa57c1d35955 (patch)
tree6f786b46b3b08b461a87a93c5a814c94cbd8dd35
parent969da31894394db4f64c4a0e96ec2252fb13142b (diff)
ipa: raspberrypi: Fix possible buffer overrun in metadata parsing
The SMIA metadata parser could possibly read one byte past the end of the buffer as the buffer size test ran after the read operation. Fix this. Signed-off-by: Naushir Patuck <naush@raspberrypi.com> Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com> Reviewed-by: David Plowman <david.plowman@raspberrypi.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-rw-r--r--src/ipa/raspberrypi/md_parser_smia.cpp4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/ipa/raspberrypi/md_parser_smia.cpp b/src/ipa/raspberrypi/md_parser_smia.cpp
index 5c413f1b..0a148755 100644
--- a/src/ipa/raspberrypi/md_parser_smia.cpp
+++ b/src/ipa/raspberrypi/md_parser_smia.cpp
@@ -71,8 +71,8 @@ MdParserSmia::ParseStatus MdParserSmia::findRegs(libcamera::Span<const uint8_t>
return NO_LINE_START;
} else {
/* allow a zero line length to mean "hunt for the next line" */
- while (buffer[current_offset] != LINE_START &&
- current_offset < buffer.size())
+ while (current_offset < buffer.size() &&
+ buffer[current_offset] != LINE_START)
current_offset++;
if (current_offset == buffer.size())