From de0cb8be53896f712c568a082613ce0c5ac20d7b Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.de>
Date: Wed, 13 Feb 2013 17:28:30 +1100
Subject: [PATCH] vpatch: fix another access-beyond-array

This was found by valgrind as well: prev_melmnt needs to check
'type' just like next_melmnt does.

This  revealed an infinite loop because we have a 'hi' value that
was wrong but being trusted.

Signed-off-by: NeilBrown <neilb@suse.de>
---
 vpatch.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/vpatch.c b/vpatch.c
index c7e84a6..03fe0f8 100644
--- a/vpatch.c
+++ b/vpatch.c
@@ -491,7 +491,7 @@ static struct elmnt prev_melmnt(struct mp *pos,
 			}
 		}
 	}
-	if (pos->m < 0) {
+	if (pos->m < 0 || m[pos->m].type == End) {
 		struct elmnt e;
 		e.start = NULL; e.hash = 0; e.len = 0;
 		return e;
@@ -1561,6 +1561,12 @@ static int merge_window(struct plist *p, FILE *f, int reverse, int replace)
 				prev_mline(&spos, fm, fb, fa, ci.merger, smode);
 			/* Now hi/lo might be wrong, so lets fix it. */
 			tpos = spos;
+			if (spos.state)
+				/* 'hi' might be wrong so we mustn't depend
+				 * on it while walking back.  So set state
+				 * to 1 to avoid ever testing it.
+				 */
+				spos.state = 1;
 			while (spos.p.m >= 0 && spos.state != 0)
 				prev_mline(&spos, fm, fb, fa, ci.merger, smode);
 			while (!same_mpos(spos, tpos))
-- 
2.39.5