xfs_repair: fix bag memory overwrite problems

There's an off by one error in the bag_remove code such that we end up
copying memory from beyond the end of the array into the array.  Not a
serious problem since we have counters to prevent us from reading that
garbage, but AddressSanitizer complained so let's fix it.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>

diff --git a/repair/slab.c b/repair/slab.c
index 86092704ab2a80d8d2521efc185a528f1695e2ec..d47448a38025085fee7d78aa4372b0364a3cc54a 100644 (file)
--- a/repair/slab.c
+++ b/repair/slab.c
@@ -469,7 +469,7 @@ bag_remove(
 {
        ASSERT(nr < bag->bg_inuse);
        memmove(&bag->bg_ptrs[nr], &bag->bg_ptrs[nr + 1],
-               (bag->bg_inuse - nr) * sizeof(void *));
+               (bag->bg_inuse - nr - 1) * sizeof(void *));
        bag->bg_inuse--;
        return 0;
 }