From ebe4f14ab2c85964cef2bb03c480dfa9aa3a2082 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Wed, 17 Sep 2008 07:18:55 -0400
Subject: rpmoffset: fix boundary bug

Dmitry Karasik writes:
When searching for the payload offset and not finding it in the current buffer,
the code attempts to move the last (MAGIC_SIZE - 1) bytes to the beginning of
the buffer. However the code for that is wrong. It reads:
    memmove(p, p + read_cnt - MAGIC_SIZE - 1, MAGIC_SIZE - 1);
but should be:
    memmove(p, p + left + read_cnt - MAGIC_SIZE + 1, MAGIC_SIZE - 1);

Mike Frysinger writes:
The memmove() also needs to occur before left gets updated to avoid reading
beyond the bounds of the p buffer and thus messing up the first adjustment.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Dmitry Karasik <dkarasik@gmail.com>
---
 rpmoffset.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rpmoffset.c b/rpmoffset.c
index 80ed563..b8f5a04 100644
--- a/rpmoffset.c
+++ b/rpmoffset.c
@@ -52,12 +52,13 @@ int main(int argc, char *argv[])
 			}
 		}
 
+		memmove(p, p + left + read_cnt - MAGIC_SIZE + 1, MAGIC_SIZE - 1);
+
 		offset += read_cnt;
 		if (left == 0) {
 			offset -= MAGIC_SIZE - 1;
 			left = MAGIC_SIZE - 1;
 		}
-		memmove(p, p + read_cnt - MAGIC_SIZE - 1, MAGIC_SIZE - 1);
 	}
 
 	if (ferror(stdin))
-- 
cgit v1.2.3-65-gdbad