Comment 0 for bug 1854054

[impact]

the build_cull_table() function scans through elements up to nr_in_ready_table/nr_in_build_table, and performs actions if a match was found; however the match detection logic simply compares the for loop index against nr_in_*_table - 1, which underflows when 0, resulting in incorrect if section being run and then segfaulting.

[test case]

this is difficult to reproduce and it's unclear the specific conditions that can reproduce it, but it has been reported to happen and review of the code shows it clearly could happen.

[regression potential]

this simply moves the -1 over to the for loop counter as a +1, so the most likely regression would be a for loop counter overflow. However that should not happen as the culltable_size is limited to 4096, and the for loop counter is unsigned int; so it should be safe from overflow. Any other regression would likely involve a similar result as the current bug, a segfault.