From a8944b37636faea396c4cf169ecbdc1f64a8a88d Mon Sep 17 00:00:00 2001
From: Rodrigo Arias <rodrigo.arias@bsc.es>
Date: Mon, 24 Apr 2023 11:47:46 +0200
Subject: [PATCH] Fix buffer overflow in sort_replace()

The access to the array was done before the out of bound check.
---
 src/emu/sort.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/emu/sort.c b/src/emu/sort.c
index 4eb0057..ccc9b68 100644
--- a/src/emu/sort.c
+++ b/src/emu/sort.c
@@ -50,7 +50,7 @@ sort_replace(int64_t *arr, int64_t n, int64_t old, int64_t new)
 			;
 
 		/* Copy middle section replacing old */
-		for (; arr[i + 1] <= new && i < n - 1; i++)
+		for (; i < n - 1 && arr[i + 1] <= new; i++)
 			arr[i] = arr[i + 1];
 
 		/* Place new */
@@ -63,7 +63,7 @@ sort_replace(int64_t *arr, int64_t n, int64_t old, int64_t new)
 			;
 
 		/* Shift right to replace old */
-		for (; arr[i - 1] > new && i > 0; i--)
+		for (; i > 0 && arr[i - 1] > new; i--)
 			arr[i] = arr[i - 1];
 
 		/* Invariant: Either i == 0 or arr[i] <= new