From: Nick Desaulniers <ndesaulniers@google.com>
Date: Thu, 11 Aug 2016 00:32:59 +0000 (+0000)
Subject: procrank: fix bounds check to prevent heap overflow
X-Git-Tag: android-x86-7.1-r1~13
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=791e7afcfc8fbe11f37e395601ec1d18fdb521d3;hp=c66c0d2a9cdc42b05ee60248411a13873cfe70be;p=android-x86%2Fsystem-extras.git

procrank: fix bounds check to prevent heap overflow
am: 98a20cd128

Change-Id: I9e79ff3f83f36b68fa119d1b95f235a804cfb34e
---

diff --git a/libpagemap/pm_memusage.c b/libpagemap/pm_memusage.c
index 70cfedec..71a5783e 100644
--- a/libpagemap/pm_memusage.c
+++ b/libpagemap/pm_memusage.c
@@ -89,15 +89,15 @@ void pm_memusage_pswap_add_offset(pm_memusage_t *mu, unsigned int offset) {
     if (mu->p_swap == NULL)
         return;
 
-    if (offset > mu->p_swap->array_size) {
+    if (offset >= mu->p_swap->array_size) {
         fprintf(stderr, "SWAP offset %d is out of swap bounds.\n", offset);
         return;
+    }
+
+    if (mu->p_swap->offset_array[offset] == USHRT_MAX) {
+        fprintf(stderr, "SWAP offset %d ref. count if overflowing ushort type.\n", offset);
     } else {
-        if (mu->p_swap->offset_array[offset] == USHRT_MAX) {
-            fprintf(stderr, "SWAP offset %d ref. count if overflowing ushort type.\n", offset);
-        } else {
-            mu->p_swap->offset_array[offset]++;
-        }
+        mu->p_swap->offset_array[offset]++;
     }
 
     soff = malloc(sizeof(pm_swap_offset_t));