From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Date: Thu, 28 May 2009 16:59:06 +0000
Subject: [PATCH] queue-export: fix crash
Message-Id: <4A1EC2DA.8030307@tuffmail.co.uk>
List-Id: <linux-hotplug.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: linux-hotplug@vger.kernel.org

The math in skip_to() was the wrong way round and allocated a
variable size array on the stack with a massively negative size.

Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
---
 udev/lib/libudev-queue-export.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/udev/lib/libudev-queue-export.c b/udev/lib/libudev-queue-export.c
index ddb1974..a36ff51 100644
--- a/udev/lib/libudev-queue-export.c
+++ b/udev/lib/libudev-queue-export.c
@@ -115,8 +115,8 @@ static int skip_to(FILE *file, long offset)
 
 	/* fseek may drop buffered data, avoid it for small seeks */
 	old_offset = ftell(file);
-	if (offset > old_offset && old_offset - offset <= BUFSIZ) {
-		size_t skip_bytes = old_offset - offset;
+	if (offset > old_offset && offset - old_offset <= BUFSIZ) {
+		size_t skip_bytes = offset - old_offset;
 		char buf[skip_bytes];
 
 		if (fread(buf, skip_bytes, 1, file) != skip_bytes)
-- 
1.5.4.3