We're reading beyond the buffer before checking its length.
BUG: KASAN: slab-out-of-bounds in wbcir_irq_tx
Signed-off-by: Sean Young <sean@xxxxxxxx>
---
drivers/media/rc/winbond-cir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/rc/winbond-cir.c b/drivers/media/rc/winbond-cir.c
index ea7be6d35ff8..a18eb232ed81 100644
--- a/drivers/media/rc/winbond-cir.c
+++ b/drivers/media/rc/winbond-cir.c
@@ -429,7 +429,7 @@ wbcir_irq_tx(struct wbcir_data *data)
bytes[used] = byte;
}
- while (data->txbuf[data->txoff] == 0 && data->txoff != data->txlen)
+ while (data->txoff != data->txlen && data->txbuf[data->txoff] == 0)
data->txoff++;
if (used == 0) {
--
2.13.3
