[PATCH] drm/savage: off by one in savage_bci_cmdbuf()
Dan Carpenter
dan.carpenter at oracle.com
Wed Jul 4 09:48:10 UTC 2018
The > should be >= here so that we don't read beyond the end of the
dma->buflist[] array.
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
diff --git a/drivers/gpu/drm/savage/savage_state.c b/drivers/gpu/drm/savage/savage_state.c
index 2db89bed52e8..7559a820bd43 100644
--- a/drivers/gpu/drm/savage/savage_state.c
+++ b/drivers/gpu/drm/savage/savage_state.c
@@ -971,7 +971,7 @@ int savage_bci_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_
LOCK_TEST_WITH_RETURN(dev, file_priv);
if (dma && dma->buflist) {
- if (cmdbuf->dma_idx > dma->buf_count) {
+ if (cmdbuf->dma_idx >= dma->buf_count) {
DRM_ERROR
("vertex buffer index %u out of range (0-%u)\n",
cmdbuf->dma_idx, dma->buf_count - 1);
More information about the dri-devel
mailing list