vis

commit ba3b0f4eb8f3c0ee6cddc8e164fb1841225771d6
parent f666862d8bf047ee1e409b0d2c02a4c82ad1cde8
Author: Marc André Tanner <mat@brain-dump.org>
Date:   Tue, 10 Apr 2018 23:20:38 +0200

array: fix off by one error in array_remove

If the array was full, attempting to remove an element caused an out
of bounds memory access.

As an example this was triggered when reaching the capacity limit of
the jumplist. It can be forced by repeatedly searching for something
(i.e. `/.` and then holding down `n`).

Diffstat:
M
array.c
 | 
2
+-

1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/array.c b/array.c
@@ -119,7 +119,7 @@ bool array_remove(Array *arr, size_t idx) {
 	}
 	char *dest = arr->items + idx * arr->elem_size;
 	char *src = arr->items + (idx + 1) * arr->elem_size;
-	memmove(dest, src, (arr->len - idx) * arr->elem_size);
+	memmove(dest, src, (arr->len - idx - 1) * arr->elem_size);
 	arr->len--;
 	return true;
 }