From 98a20cd1283b6ee029e871c0876815300475c40a Mon Sep 17 00:00:00 2001
From: Nick Desaulniers <ndesaulniers@google.com>
Date: Wed, 10 Aug 2016 15:44:19 -0700
Subject: procrank: fix bounds check to prevent heap overflow

Bug: 30774296
Change-Id: I44005caaa3cc17fe829f375a4cfeb5a464c97fbe
---
 libpagemap/pm_memusage.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libpagemap/pm_memusage.c b/libpagemap/pm_memusage.c
index 70cfedec..71a5783e 100644
--- a/libpagemap/pm_memusage.c
+++ b/libpagemap/pm_memusage.c
@@ -89,15 +89,15 @@ void pm_memusage_pswap_add_offset(pm_memusage_t *mu, unsigned int offset) {
     if (mu->p_swap == NULL)
         return;
 
-    if (offset > mu->p_swap->array_size) {
+    if (offset >= mu->p_swap->array_size) {
         fprintf(stderr, "SWAP offset %d is out of swap bounds.\n", offset);
         return;
+    }
+
+    if (mu->p_swap->offset_array[offset] == USHRT_MAX) {
+        fprintf(stderr, "SWAP offset %d ref. count if overflowing ushort type.\n", offset);
     } else {
-        if (mu->p_swap->offset_array[offset] == USHRT_MAX) {
-            fprintf(stderr, "SWAP offset %d ref. count if overflowing ushort type.\n", offset);
-        } else {
-            mu->p_swap->offset_array[offset]++;
-        }
+        mu->p_swap->offset_array[offset]++;
     }
 
     soff = malloc(sizeof(pm_swap_offset_t));
-- 
cgit v1.2.3