From 445e371ebc7afaca6be293f43055eae0fbeb67be Mon Sep 17 00:00:00 2001
From: Jacob Garber <jgarber1@ualberta.ca>
Date: Tue, 13 Aug 2019 14:25:20 -0600
Subject: tests: Fix off-by-one error in array bounds check

rptr points to an object with rsize number of bytes. If offset + size ==
rsize, then rptr + offset + size will point to one byte past the end of
the object during the memcpy(). Exclude this case by adding it to the
bounds check. We can also remove the offset > rsize check since it is
subsumed in the other one.

BUG=none
TEST=make clean && make runtests
BRANCH=none

Change-Id: Iceda658f420babe61bd1d9807efc8333d2044ccc
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 198905
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1752766
Reviewed-by: Joel Kitching <kitching@chromium.org>
---
 tests/vb2_gbb_tests.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/vb2_gbb_tests.c b/tests/vb2_gbb_tests.c
index 92d617aa..4acb328c 100644
--- a/tests/vb2_gbb_tests.c
+++ b/tests/vb2_gbb_tests.c
@@ -78,7 +78,7 @@ vb2_error_t vb2ex_read_resource(struct vb2_context *c,
 		return VB2_ERROR_EX_READ_RESOURCE_INDEX;
 	}
 
-	if (offset > rsize || offset + size > rsize)
+	if (offset + size >= rsize)
 		return VB2_ERROR_EX_READ_RESOURCE_SIZE;
 
 	memcpy(buf, rptr + offset, size);
-- 
cgit v1.2.1