main: fix reading outside malloced area.

Calling ptrArrayDeleteItem in a situation where the allocated array is fully used (curent-> count == current-> max) caused memmove to access outside the malloced area. ptrArrayRemoveItem and {char,uchar,int,uint,long,ulong}ArrayDeleteItem have the same problem.
universal-ctags · May 4, 2022 · 4a710c0 · 4a710c0
1 parent d906488
commit 4a710c0
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/main/numarray.c b/main/numarray.c
@@ -146,7 +146,7 @@
 	extern void prefix##ArrayDeleteItem (prefix##Array* const current, unsigned int indx) \
 	{																	\
 		memmove (current->array + indx, current->array + indx + 1,		\
-				 (current->count - indx) * sizeof (*current->array));	\
+				 (current->count - indx - 1) * sizeof (*current->array)); \
 		--current->count;												\
 	}																	\
 	static int prefix##GreaterThan(const void *a, const void *b)		\

diff --git a/main/ptrarray.c b/main/ptrarray.c
@@ -199,7 +199,7 @@ extern void ptrArrayDeleteItem (ptrArray* const current, unsigned int indx)
 		current->deleteFunc (ptr);
 
 	memmove (current->array + indx, current->array + indx + 1,
-			(current->count - indx) * sizeof (*current->array));
+			(current->count - indx - 1) * sizeof (*current->array));
 	--current->count;
 }
 
@@ -208,7 +208,7 @@ extern void*ptrArrayRemoveItem (ptrArray* const current, unsigned int indx)
 	void *ptr = current->array[indx];
 
 	memmove (current->array + indx, current->array + indx + 1,
-			(current->count - indx) * sizeof (*current->array));
+			(current->count - indx - 1) * sizeof (*current->array));
 	--current->count;
 
 	return ptr;