From 78b118bc5f503435b1d9216b3a3279e0c9fd9ecd Mon Sep 17 00:00:00 2001
From: Sverker Eriksson <sverker@erlang.org>
Date: Fri, 21 Mar 2014 16:38:13 +0100
Subject: erts: Fix heap overflow in maps:remove/2 when key is not found

One key-value pair too many was copied.
---
 erts/emulator/beam/erl_map.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/erts/emulator/beam/erl_map.c b/erts/emulator/beam/erl_map.c
index 2fff7f9390..fdd2d0c0f6 100644
--- a/erts/emulator/beam/erl_map.c
+++ b/erts/emulator/beam/erl_map.c
@@ -647,22 +647,24 @@ int erts_maps_remove(Process *p, Eterm key, Eterm map, Eterm *res) {
     *mhp++ = tup;
 
     if (is_immed(key)) {
-	while(n--) {
+	while (1) {
 	    if (*ks == key) {
 		goto found_key;
-	    } else {
+	    } else if (--n) {
 		*mhp++ = *vs++;
 		*thp++ = *ks++;
-	    }
+	    } else
+		break;
 	}
     } else {
-	while(n--) {
+	while(1) {
 	    if (EQ(*ks, key)) {
 		goto found_key;
-	    } else {
+	    } else if (--n) {
 		*mhp++ = *vs++;
 		*thp++ = *ks++;
-	    }
+	    } else
+		break;
 	}
     }
 
@@ -676,7 +678,7 @@ int erts_maps_remove(Process *p, Eterm key, Eterm map, Eterm *res) {
 
 found_key:
     /* Copy rest of keys and values */
-    if (n) {
+    if (--n) {
 	sys_memcpy(mhp, vs+1, n*sizeof(Eterm));
 	sys_memcpy(thp, ks+1, n*sizeof(Eterm));
     }
-- 
cgit v1.2.3