Check if member io_residual is non-negative. If it is negative, the call to
memset() will fail. In that case return FALSE.
* device/dev_pager.c (device_pager_data_request_done): Check if member
io_residual is non-negative.
((device_pager_data_request_done) (memset) (io_residual): Cast to size_t.
---
device/dev_pager.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/device/dev_pager.c b/device/dev_pager.c
index a5dba3f..8aaa022 100644
--- a/device/dev_pager.c
+++ b/device/dev_pager.c
@@ -424,8 +424,11 @@ boolean_t device_pager_data_request_done(io_req_t ior)
if (ior->io_residual) {
if (device_pager_debug)
printf("(device_pager)data_request_done: r: 0x%lx\n",
ior->io_residual);
- memset((&ior->io_data[ior->io_count - ior->io_residual]), 0,
- (unsigned) ior->io_residual);
+ if (ior->io_residual >= 0)
+ memset((&ior->io_data[ior->io_count -
ior->io_residual]), 0,
+ (size_t) ior->io_residual);
+ else
+ return FALSE;
}
} else {
size_read = ior->io_count - ior->io_residual;
--
1.8.1.4
