Fix bug triggered by cone.

Parameters to memmove were reversed. len is the size of the buffer. len-pos-cnt characters were copied in error to position pos+cnt. As such this did not overflow. I.e. if len was 8 (eight chars), pos was 1 and cnt was 2, then 8-2-1=5 characters were copied to offset 3, right at the end of the buffer. This was just plain wrong.
author: Sam Varshavchik 2020-11-24 19:09:34 -0500
committer: Sam Varshavchik 2020-11-24 19:37:28 -0500
commit: b89f5f8dc09431bb345308b3a0ffd5f7d22cdfb2 (patch)
tree: c655b4e0bf8fb76b01a117e4feac01253663753a /unicode/unicodebuf.c
parent: 1d5b075408e8829006d84ba65b922101bd304a25 (diff)
download: courier-libs-b89f5f8dc09431bb345308b3a0ffd5f7d22cdfb2.tar.bz2
1 files changed, 2 insertions, 1 deletions
diff --git a/unicode/unicodebuf.c b/unicode/unicodebuf.c
index eb64543..59b7522 100644
--- a/unicode/unicodebuf.c
+++ b/unicode/unicodebuf.c
@@ -89,7 +89,8 @@ void unicode_buf_remove(struct unicode_buf *p,
 		cnt=p->len-pos;
 
 	if (cnt)
-		memmove(p->ptr+pos+cnt, p->ptr+pos, p->len-pos-cnt);
+		memmove(p->ptr+pos, p->ptr+pos+cnt,
+			(p->len-pos-cnt) * sizeof(char32_t));
 	p->len -= cnt;
 }
author	Sam Varshavchik	2020-11-24 19:09:34 -0500
committer	Sam Varshavchik	2020-11-24 19:37:28 -0500
commit	b89f5f8dc09431bb345308b3a0ffd5f7d22cdfb2 (patch)
tree	c655b4e0bf8fb76b01a117e4feac01253663753a /unicode/unicodebuf.c
parent	1d5b075408e8829006d84ba65b922101bd304a25 (diff)
download	courier-libs-b89f5f8dc09431bb345308b3a0ffd5f7d22cdfb2.tar.bz2