EmuGL: Fix heap corruption

Off-by-two bug when removing textures from the tracking array could overwrite malloc's mem chunk data structure, usually resulting in a heap corruption abort on a later malloc/realloc/free. Bug: 5951738 Change-Id: I11056bb62883373c2a3403f53899347ff8cdabf2
author: Jesse Hall <jessehall@google.com> 2012-02-03 22:54:24 -0800
committer: Jesse Hall <jessehall@google.com> 2012-02-03 22:54:24 -0800
commit: 0e981c83041878e6a05b0a996879160fd0f320cf (patch)
tree: 03145a4f2ae15943b9e08c6edf616eb28050de88 /tools/emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp
parent: 47365074a01acc1826e10cf530f613e4cd58d62a (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/tools/emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp b/tools/emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp
index c689f83a3..87c68db2c 100644
--- a/tools/emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp
+++ b/tools/emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp
@@ -394,7 +394,7 @@ void GLClientState::deleteTextures(GLsizei n, const GLuint* textures)
         if (texrec) {
             const TextureRec* end = m_tex.textures + m_tex.numTextures;
             memmove(texrec, texrec + 1,
-                    (end - texrec + 1) * sizeof(TextureRec));
+                    (end - texrec - 1) * sizeof(TextureRec));
             m_tex.numTextures--;
 
             for (TextureUnit* unit = m_tex.unit;
author	Jesse Hall <jessehall@google.com>	2012-02-03 22:54:24 -0800
committer	Jesse Hall <jessehall@google.com>	2012-02-03 22:54:24 -0800
commit	0e981c83041878e6a05b0a996879160fd0f320cf (patch)
tree	03145a4f2ae15943b9e08c6edf616eb28050de88 /tools/emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp
parent	47365074a01acc1826e10cf530f613e4cd58d62a (diff)