From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeff Muizelaar <jmuizelaar@mozilla.com>
Date: Thu, 25 Feb 2021 13:18:47 +0000
Subject: [PATCH] Bug 1694670. Fix the OOB check in write_u32/u16. r=aosmond,
 a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D106362
---
 gfx/qcms/src/iccread.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gfx/qcms/src/iccread.rs b/gfx/qcms/src/iccread.rs
index 0113e17aff3e6..f1107d50a86b6 100644
--- a/gfx/qcms/src/iccread.rs
+++ b/gfx/qcms/src/iccread.rs
@@ -229,16 +229,16 @@ fn read_uInt16Number(mem: &mut MemSource, offset: usize) -> uInt16Number {
     read_u16(mem, offset)
 }
 pub fn write_u32(mem: &mut [u8], offset: usize, value: u32) {
-    if offset <= mem.len() - std::mem::size_of_val(&value) {
+    if offset > mem.len() - std::mem::size_of_val(&value) {
         panic!("OOB");
     }
     let mem = mem.as_mut_ptr();
     unsafe {
         std::ptr::write_unaligned(mem.add(offset) as *mut u32, cpu_to_be32(value));
     }
 }
 pub fn write_u16(mem: &mut [u8], offset: usize, value: u16) {
-    if offset <= mem.len() - std::mem::size_of_val(&value) {
+    if offset > mem.len() - std::mem::size_of_val(&value) {
         panic!("OOB");
     }
     let mem = mem.as_mut_ptr();