| Message ID | 20180620104433.qegf5bakvcywzuga@kili.mountain (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
diff --git a/block/partitions/ldm.c b/block/partitions/ldm.c index 0417937dfe99..8f4c302eb11b 100644 --- a/block/partitions/ldm.c +++ b/block/partitions/ldm.c @@ -636,12 +636,12 @@ static int ldm_relative(const u8 *buffer, int buflen, int base, int offset) { base += offset; - if (!buffer || offset < 0 || base > buflen) { + if (!buffer || offset < 0 || base >= buflen) { if (!buffer) ldm_error("!buffer"); if (offset < 0) ldm_error("offset (%d) < 0", offset); - if (base > buflen) + if (base >= buflen) ldm_error("base (%d) > buflen (%d)", base, buflen); return -1; }
If base == buflen then we read one character past the end of buffer[]. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- This is static analysis. Not tested. This code goes back to before the start of git.