From 1d42f25fcdbf544371e3606e414d99937519b645 Mon Sep 17 00:00:00 2001
From: iceman1001 <iceman@iuse.se>
Date: Tue, 12 Jan 2016 22:15:49 +0100
Subject: [PATCH] FIX: Coverity, out-of-bounds write, CID# 121336,  s_index
 should take factor in consideration when looping.  Not sure about this one.

FIX: another thing struck me, the g_index wasn't increased, meaning the "un-decimation" always worked on the same first byte of GraphBuffer.
---
 client/cmddata.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/client/cmddata.c b/client/cmddata.c
index 83d5f3f2..270b00e6 100644
--- a/client/cmddata.c
+++ b/client/cmddata.c
@@ -827,19 +827,20 @@ int CmdUndec(const char *Cmd)
 		return 0;
 	}
 
-	uint8_t factor = param_get8ex(Cmd, 0,2, 10);
+	uint8_t factor = param_get8ex(Cmd, 0, 2, 10);
 	//We have memory, don't we?
 	int swap[MAX_GRAPH_TRACE_LEN] = { 0 };
 	uint32_t g_index = 0 ,s_index = 0;
-	while(g_index < GraphTraceLen && s_index < MAX_GRAPH_TRACE_LEN)
+	while(g_index < GraphTraceLen && s_index + factor < MAX_GRAPH_TRACE_LEN)
 	{
 		int count = 0;
-		for(count = 0; count < factor && s_index+count < MAX_GRAPH_TRACE_LEN; count ++)
+		for (count = 0; count < factor && s_index + count < MAX_GRAPH_TRACE_LEN; count++)
 			swap[s_index+count] = GraphBuffer[g_index];
-		s_index+=count;
+		s_index += count;
+		g_index++;
 	}
 
-	memcpy(GraphBuffer,swap, s_index * sizeof(int));
+	memcpy(GraphBuffer, swap, s_index * sizeof(int));
 	GraphTraceLen = s_index;
 	RepaintGraphWindow();
 	return 0;
-- 
2.39.2