From 7d1f70e18cce00ca3fea43f392a3ea3a367f18b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Andr=C3=A9=20Tanner?= <mat@brain-dump.org>
Date: Tue, 10 Apr 2018 23:20:38 +0200
Subject: array: fix off by one error in array_remove

If the array was full, attempting to remove an element caused an out
of bounds memory access.

As an example this was triggered when reaching the capacity limit of
the jumplist. It can be forced by repeatedly searching for something
(i.e. `/.` and then holding down `n`).
---
 array.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/array.c b/array.c
index 824154a..c68279f 100644
--- a/array.c
+++ b/array.c
@@ -119,7 +119,7 @@ bool array_remove(Array *arr, size_t idx) {
 	}
 	char *dest = arr->items + idx * arr->elem_size;
 	char *src = arr->items + (idx + 1) * arr->elem_size;
-	memmove(dest, src, (arr->len - idx) * arr->elem_size);
+	memmove(dest, src, (arr->len - idx - 1) * arr->elem_size);
 	arr->len--;
 	return true;
 }
-- 
cgit v1.2.3