procrank: fix bounds check to prevent heap overflow

author Nick Desaulniers <ndesaulniers@google.com>

Thu, 11 Aug 2016 00:32:59 +0000 (00:32 +0000)

committer android-build-merger <android-build-merger@google.com>

Thu, 11 Aug 2016 00:32:59 +0000 (00:32 +0000)
author Nick Desaulniers <ndesaulniers@google.com>
Thu, 11 Aug 2016 00:32:59 +0000 (00:32 +0000)
committer android-build-merger <android-build-merger@google.com>
Thu, 11 Aug 2016 00:32:59 +0000 (00:32 +0000)
diff --git a/libpagemap/pm_memusage.c b/libpagemap/pm_memusage.c

index 70cfede..71a5783 100644 (file)
--- a/libpagemap/pm_memusage.c
+++ b/libpagemap/pm_memusage.c
@@ -89,15 +89,15 @@ void pm_memusage_pswap_add_offset(pm_memusage_t *mu, unsigned int offset) {
      if (mu->p_swap == NULL)
          return;
  
-    if (offset > mu->p_swap->array_size) {
+    if (offset >= mu->p_swap->array_size) {
          fprintf(stderr, "SWAP offset %d is out of swap bounds.\n", offset);
          return;
+    }
+
+    if (mu->p_swap->offset_array[offset] == USHRT_MAX) {
+        fprintf(stderr, "SWAP offset %d ref. count if overflowing ushort type.\n", offset);
      } else {
-        if (mu->p_swap->offset_array[offset] == USHRT_MAX) {
-            fprintf(stderr, "SWAP offset %d ref. count if overflowing ushort type.\n", offset);
-        } else {
-            mu->p_swap->offset_array[offset]++;
-        }
+        mu->p_swap->offset_array[offset]++;
      }
  
      soff = malloc(sizeof(pm_swap_offset_t));
author	Nick Desaulniers <ndesaulniers@google.com>
	Thu, 11 Aug 2016 00:32:59 +0000 (00:32 +0000)
committer	android-build-merger <android-build-merger@google.com>
	Thu, 11 Aug 2016 00:32:59 +0000 (00:32 +0000)