From cba4b7a3bf98faff4c905f71064f7d66b9869e79 Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Sat, 20 Aug 2011 09:28:32 -0400
Subject: [PATCH] shm: Include the returned element length in the range check

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
 libringbuffer/shm.h | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/libringbuffer/shm.h b/libringbuffer/shm.h
index f5cc8e69..9f72a5a2 100644
--- a/libringbuffer/shm.h
+++ b/libringbuffer/shm.h
@@ -20,26 +20,27 @@
  */
 static inline
 char *_shmp_offset(struct shm_object_table *table, struct shm_ref *ref,
-		   size_t offset)
+		   size_t idx, size_t elem_size)
 {
 	struct shm_object *obj;
-	size_t index, ref_offset;
+	size_t objindex, ref_offset;
 
-	index = (size_t) ref->index;
-	if (unlikely(index >= table->allocated_len))
+	objindex = (size_t) ref->index;
+	if (unlikely(objindex >= table->allocated_len))
 		return NULL;
-	obj = &table->objects[index];
+	obj = &table->objects[objindex];
 	ref_offset = (size_t) ref->offset;
-	ref_offset += offset;
-	if (unlikely(ref_offset >= obj->memory_map_size))
+	ref_offset += idx * elem_size;
+	/* Check if part of the element returned would exceed the limits. */
+	if (unlikely(ref_offset + elem_size > obj->memory_map_size))
 		return NULL;
 	return &obj->memory_map[ref_offset];
 }
 
-#define shmp_index(handle, ref, offset)					\
+#define shmp_index(handle, ref, index)					\
 	({								\
 		__typeof__((ref)._type) ____ptr_ret;			\
-		____ptr_ret = (__typeof__(____ptr_ret)) _shmp_offset((handle)->table, &(ref)._ref, ((offset) * sizeof(*____ptr_ret)));	\
+		____ptr_ret = (__typeof__(____ptr_ret)) _shmp_offset((handle)->table, &(ref)._ref, index, sizeof(*____ptr_ret));	\
 		____ptr_ret;						\
 	})
 
-- 
2.34.1