From 335e3c30ebd98959a53c22b12b17f907d7def48c Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Thu, 26 Nov 2015 03:41:47 -0500
Subject: xarray: move ele update to after bounds check

Even though we don't use the loaded ele value until after we check
the bounds of the counter, it makes ASAN unhappy, and might cause
a load of invalid memory.

URL: https://bugs.gentoo.org/553368
Reported-by: Hanno Boeck <hanno@gentoo.org>
---
 xfuncs.h | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/xfuncs.h b/xfuncs.h
index 82f5da0..61577ec 100644
--- a/xfuncs.h
+++ b/xfuncs.h
@@ -27,10 +27,14 @@ void xarraypush(array_t *array, const void *ele, size_t ele_len);
 #define xarraypush_str(arr, ele) xarraypush(arr, ele, strlen(ele) + 1 /*NUL*/)
 void xarrayfree(array_t *array);
 #define xrealloc_array(ptr, size, ele_size) xrealloc(ptr, (size) * (ele_size))
+/* The assignment after the check is unfortunate as we do a non-NULL check (we
+ * already do not permit pushing of NULL pointers), but we can't put it in the
+ * increment phase as that will cause a load beyond the bounds of valid memory.
+ */
 #define array_for_each(arr, n, ele) \
 	for (n = 0, ele = array_cnt(arr) ? arr->eles[n] : NULL; \
-	     n < array_cnt(arr); \
-	     ele = arr->eles[++n])
+	     n < array_cnt(arr) && (ele = arr->eles[n]); \
+	     ++n)
 #define array_init_decl { .eles = NULL, .num = 0, }
 #define array_cnt(arr) (arr)->num
 char *array_flatten_str(array_t *array);
-- 
cgit v1.2.3