From 4cf0d1f709ce30cef706d8f5ad5612215dc81ef5 Mon Sep 17 00:00:00 2001
From: "Darrick J. Wong" <darrick.wong@oracle.com>
Date: Thu, 9 Nov 2017 11:35:24 -0600
Subject: [PATCH] xfs_repair: fix bag memory overwrite problems

There's an off by one error in the bag_remove code such that we end up
copying memory from beyond the end of the array into the array.  Not a
serious problem since we have counters to prevent us from reading that
garbage, but AddressSanitizer complained so let's fix it.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
---
 repair/slab.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/repair/slab.c b/repair/slab.c
index 86092704a..d47448a38 100644
--- a/repair/slab.c
+++ b/repair/slab.c
@@ -469,7 +469,7 @@ bag_remove(
 {
 	ASSERT(nr < bag->bg_inuse);
 	memmove(&bag->bg_ptrs[nr], &bag->bg_ptrs[nr + 1],
-		(bag->bg_inuse - nr) * sizeof(void *));
+		(bag->bg_inuse - nr - 1) * sizeof(void *));
 	bag->bg_inuse--;
 	return 0;
 }
-- 
2.47.2