From 0e981c83041878e6a05b0a996879160fd0f320cf Mon Sep 17 00:00:00 2001
From: Jesse Hall <jessehall@google.com>
Date: Fri, 3 Feb 2012 22:54:24 -0800
Subject: [PATCH] EmuGL: Fix heap corruption

Off-by-two bug when removing textures from the tracking array could
overwrite malloc's mem chunk data structure, usually resulting in a
heap corruption abort on a later malloc/realloc/free.

Bug: 5951738
Change-Id: I11056bb62883373c2a3403f53899347ff8cdabf2
---
 .../emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp b/tools/emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp
index c689f83a3..87c68db2c 100644
--- a/tools/emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp
+++ b/tools/emulator/opengl/shared/OpenglCodecCommon/GLClientState.cpp
@@ -394,7 +394,7 @@ void GLClientState::deleteTextures(GLsizei n, const GLuint* textures)
         if (texrec) {
             const TextureRec* end = m_tex.textures + m_tex.numTextures;
             memmove(texrec, texrec + 1,
-                    (end - texrec + 1) * sizeof(TextureRec));
+                    (end - texrec - 1) * sizeof(TextureRec));
             m_tex.numTextures--;
 
             for (TextureUnit* unit = m_tex.unit;