From 4a710c0604fbbe64391d3402768a8c237a1838b4 Mon Sep 17 00:00:00 2001
From: Hideki IWAMOTO <h-iwamoto@kit.hi-ho.ne.jp>
Date: Thu, 5 May 2022 01:13:29 +0900
Subject: [PATCH] main: fix reading outside malloced area.

Calling ptrArrayDeleteItem in a situation where the allocated array is fully used
 (curent-> count == current-> max) caused memmove to access outside the malloced area.

ptrArrayRemoveItem and {char,uchar,int,uint,long,ulong}ArrayDeleteItem have the same problem.
---
 main/numarray.c | 2 +-
 main/ptrarray.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/main/numarray.c b/main/numarray.c
index 62f6e714b8..484286abf5 100644
--- a/main/numarray.c
+++ b/main/numarray.c
@@ -146,7 +146,7 @@
 	extern void prefix##ArrayDeleteItem (prefix##Array* const current, unsigned int indx) \
 	{																	\
 		memmove (current->array + indx, current->array + indx + 1,		\
-				 (current->count - indx) * sizeof (*current->array));	\
+				 (current->count - indx - 1) * sizeof (*current->array)); \
 		--current->count;												\
 	}																	\
 	static int prefix##GreaterThan(const void *a, const void *b)		\
diff --git a/main/ptrarray.c b/main/ptrarray.c
index 299ae810a0..12db5568a9 100644
--- a/main/ptrarray.c
+++ b/main/ptrarray.c
@@ -199,7 +199,7 @@ extern void ptrArrayDeleteItem (ptrArray* const current, unsigned int indx)
 		current->deleteFunc (ptr);
 
 	memmove (current->array + indx, current->array + indx + 1,
-			(current->count - indx) * sizeof (*current->array));
+			(current->count - indx - 1) * sizeof (*current->array));
 	--current->count;
 }
 
@@ -208,7 +208,7 @@ extern void*ptrArrayRemoveItem (ptrArray* const current, unsigned int indx)
 	void *ptr = current->array[indx];
 
 	memmove (current->array + indx, current->array + indx + 1,
-			(current->count - indx) * sizeof (*current->array));
+			(current->count - indx - 1) * sizeof (*current->array));
 	--current->count;
 
 	return ptr;