From a4b876e97ff718d33e389c718021fa57c1d35955 Mon Sep 17 00:00:00 2001
From: Naushir Patuck <naush@raspberrypi.com>
Date: Tue, 15 Jun 2021 15:42:10 +0100
Subject: ipa: raspberrypi: Fix possible buffer overrun in metadata parsing

The SMIA metadata parser could possibly read one byte past the end of the
buffer as the buffer size test ran after the read operation. Fix this.

Signed-off-by: Naushir Patuck <naush@raspberrypi.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Reviewed-by: David Plowman <david.plowman@raspberrypi.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
 src/ipa/raspberrypi/md_parser_smia.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ipa/raspberrypi/md_parser_smia.cpp b/src/ipa/raspberrypi/md_parser_smia.cpp
index 5c413f1b..0a148755 100644
--- a/src/ipa/raspberrypi/md_parser_smia.cpp
+++ b/src/ipa/raspberrypi/md_parser_smia.cpp
@@ -71,8 +71,8 @@ MdParserSmia::ParseStatus MdParserSmia::findRegs(libcamera::Span<const uint8_t>
 					return NO_LINE_START;
 			} else {
 				/* allow a zero line length to mean "hunt for the next line" */
-				while (buffer[current_offset] != LINE_START &&
-				       current_offset < buffer.size())
+				while (current_offset < buffer.size() &&
+				       buffer[current_offset] != LINE_START)
 					current_offset++;
 
 				if (current_offset == buffer.size())
-- 
cgit v1.2.1