If base == buflen then we read one character past the end of buffer[]. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- This is static analysis. Not tested. This code goes back to before the start of git. diff --git a/block/partitions/ldm.c b/block/partitions/ldm.c index 0417937dfe99..8f4c302eb11b 100644 --- a/block/partitions/ldm.c +++ b/block/partitions/ldm.c @@ -636,12 +636,12 @@ static int ldm_relative(const u8 *buffer, int buflen, int base, int offset) { base += offset; - if (!buffer || offset < 0 || base > buflen) { + if (!buffer || offset < 0 || base >= buflen) { if (!buffer) ldm_error("!buffer"); if (offset < 0) ldm_error("offset (%d) < 0", offset); - if (base > buflen) + if (base >= buflen) ldm_error("base (%d) > buflen (%d)", base, buflen); return -1; } -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html