udevd: queue-export - fix crash

The math in skip_to() was the wrong way round and allocated a
variable size array on the stack with a massively negative size.

Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>

diff --git a/udev/lib/libudev-queue-export.c b/udev/lib/libudev-queue-export.c
index ddb1974dbef93fefefe28beb6c4ab7aef3608053..a36ff5150abda26d3bce741cc794111b72c929b9 100644 (file)
--- a/udev/lib/libudev-queue-export.c
+++ b/udev/lib/libudev-queue-export.c
@@ -115,8 +115,8 @@ static int skip_to(FILE *file, long offset)
 
        /* fseek may drop buffered data, avoid it for small seeks */
        old_offset = ftell(file);
-       if (offset > old_offset && old_offset - offset <= BUFSIZ) {
-               size_t skip_bytes = old_offset - offset;
+       if (offset > old_offset && offset - old_offset <= BUFSIZ) {
+               size_t skip_bytes = offset - old_offset;
                char buf[skip_bytes];
 
                if (fread(buf, skip_bytes, 1, file) != skip_bytes)