diff options
| author | Marc André Tanner <mat@brain-dump.org> | 2018-04-10 23:20:38 +0200 |
|---|---|---|
| committer | Marc André Tanner <mat@brain-dump.org> | 2018-04-10 23:20:38 +0200 |
| commit | 7d1f70e18cce00ca3fea43f392a3ea3a367f18b9 (patch) | |
| tree | 45cf3cc1664ecd958b14502bcf0921680f9efc00 | |
| parent | bac1186a4497b011ac262e0bc9f602ee3872fec4 (diff) | |
| download | vis-7d1f70e18cce00ca3fea43f392a3ea3a367f18b9.tar.gz vis-7d1f70e18cce00ca3fea43f392a3ea3a367f18b9.tar.xz | |
array: fix off by one error in array_remove
If the array was full, attempting to remove an element caused an out
of bounds memory access.
As an example this was triggered when reaching the capacity limit of
the jumplist. It can be forced by repeatedly searching for something
(i.e. `/.` and then holding down `n`).
| -rw-r--r-- | array.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -119,7 +119,7 @@ bool array_remove(Array *arr, size_t idx) { } char *dest = arr->items + idx * arr->elem_size; char *src = arr->items + (idx + 1) * arr->elem_size; - memmove(dest, src, (arr->len - idx) * arr->elem_size); + memmove(dest, src, (arr->len - idx - 1) * arr->elem_size); arr->len--; return true; } |