From 542aeeb48ab002c6136885f99aa23870f8ffa25b Mon Sep 17 00:00:00 2001 From: Alan Jenkins Date: Thu, 28 May 2009 17:59:06 +0100 Subject: [PATCH] udevd: queue-export - fix crash The math in skip_to() was the wrong way round and allocated a variable size array on the stack with a massively negative size. Signed-off-by: Alan Jenkins --- udev/lib/libudev-queue-export.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/udev/lib/libudev-queue-export.c b/udev/lib/libudev-queue-export.c index ddb1974d..a36ff515 100644 --- a/udev/lib/libudev-queue-export.c +++ b/udev/lib/libudev-queue-export.c @@ -115,8 +115,8 @@ static int skip_to(FILE *file, long offset) /* fseek may drop buffered data, avoid it for small seeks */ old_offset = ftell(file); - if (offset > old_offset && old_offset - offset <= BUFSIZ) { - size_t skip_bytes = old_offset - offset; + if (offset > old_offset && offset - old_offset <= BUFSIZ) { + size_t skip_bytes = offset - old_offset; char buf[skip_bytes]; if (fread(buf, skip_bytes, 1, file) != skip_bytes) -- 2.39.5