exec.c, compat.c: fix count(), compat_count() bounds checking

With MAX_ARG_STRINGS set to 0x7FFFFFFF, and being passed to 'count()' and
compat_count(), it would appear that the current max bounds check of
fs/exec.c:394:

	if(++i > max)
		return -E2BIG;

would never trigger. Since 'i' is of type int, so values would wrap and the
function would continue looping.

Simple fix seems to be chaning ++i to i++ and checking for '>='.

Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Ollie Wild" <aaw@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

2 files changed, 2 insertions, 2 deletions

diff --git a/fs/compat.c b/fs/compat.c
index 075d0509970d..aae13d31612f 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -1239,7 +1239,7 @@ static int compat_count(compat_uptr_t __user *argv, int max)
                         if (!p)
                                 break;
                         argv++;
-                        if(++i > max)
+                        if (i++ >= max)
                                 return -E2BIG;
                 }
         }
diff --git a/fs/exec.c b/fs/exec.c
index cecee501ce78..7b5ed50eadeb 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -391,7 +391,7 @@ static int count(char __user * __user * argv, int max)
                         if (!p)
                                 break;
                         argv++;
-                        if(++i > max)
+                        if (i++ >= max)
                                 return -E2BIG;
                         cond_resched();
                 }