commit 3f1e03edd93bcbb1643291a4e0e462d1dc0c7019
from: Florian Westphal <fw@strlen.de>
date: Sun Dec 17 22:52:43 2006 UTC

fix possibe buffer-off-by one

commit - 23e7f7f0dd55d140aca91ace6102e714cba5bbd0
commit + 3f1e03edd93bcbb1643291a4e0e462d1dc0c7019
blob - bc28d042fdd4e65d8aba29b5e1760a2f31137bbc
blob + 1342c670060db94242267c19c6c32a5eca5f4a94
--- src/ngircd/array.c
+++ src/ngircd/array.c
@@ -12,7 +12,7 @@
 
 #include "array.h"
 
-static char UNUSED id[] = "$Id: array.c,v 1.12 2006/09/30 21:49:46 fw Exp $";
+static char UNUSED id[] = "$Id: array.c,v 1.13 2006/12/17 22:52:43 fw Exp $";
 
 #include <assert.h>
 
@@ -247,19 +247,21 @@ void *
 array_get(array * a, size_t membersize, size_t pos)
 {
 	size_t totalsize;
+	size_t posplus1 = pos + 1;
 
 	assert(membersize > 0);
 	assert(a != NULL);
 
-	if (array_UNUSABLE(a))
+	if (!posplus1 || array_UNUSABLE(a))
 		return NULL;
 
-	if (!safemult_sizet(pos, membersize, &totalsize))
+	if (!safemult_sizet(posplus1, membersize, &totalsize))
 		return NULL;
 
 	if (a->allocated < totalsize)
 		return NULL;
 
+	totalsize = pos * membersize;
 	return a->mem + totalsize;
 }