From 58a47e25bbb418e7efd9fd821433d57b625f42e0 Mon Sep 17 00:00:00 2001
From: George Hotz <72895+geohot@users.noreply.github.com>
Date: Fri, 14 Jan 2022 15:22:28 -0800
Subject: [PATCH] camerad: Out of bounds memory write (#23534)

* parens were totally wrong

* cleaner
old-commit-hash: 7e83d9a61849950dcd7a4db3cd8ab7e9668dda2d
---
 selfdrive/camerad/cameras/camera_qcom2.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/selfdrive/camerad/cameras/camera_qcom2.cc b/selfdrive/camerad/cameras/camera_qcom2.cc
index 030bbe47e1..373e129a83 100644
--- a/selfdrive/camerad/cameras/camera_qcom2.cc
+++ b/selfdrive/camerad/cameras/camera_qcom2.cc
@@ -227,7 +227,7 @@ void sensors_init(int video0_fd, int sensor_fd, int camera_num) {
   buf_desc[0].size = buf_desc[0].length = sizeof(struct cam_cmd_i2c_info) + sizeof(struct cam_cmd_probe);
   buf_desc[0].type = CAM_CMD_BUF_LEGACY;
   struct cam_cmd_i2c_info *i2c_info = (struct cam_cmd_i2c_info *)alloc_w_mmu_hdl(video0_fd, buf_desc[0].size, (uint32_t*)&buf_desc[0].mem_handle);
-  struct cam_cmd_probe *probe = (struct cam_cmd_probe *)((uint8_t *)i2c_info) + sizeof(struct cam_cmd_i2c_info);
+  auto probe = (struct cam_cmd_probe *)(i2c_info + 1);
 
   switch (camera_num) {
     case 0: