This patch fixes

==23538== Invalid read of size 1
==23538==    at 0x449731: cmd_help (fe-help.c:259)
==23538==    by 0x4A44FD: signal_emit_real (signals.c:242)
==23538==    by 0x4A4770: signal_emit (signals.c:286)
==23538==    by 0x48D7C8: parse_command (commands.c:899)
==23538==    by 0x48D948: event_command (commands.c:945)
==23538==    by 0x4A44FD: signal_emit_real (signals.c:242)
==23538==    by 0x4A4770: signal_emit (signals.c:286)
==23538==    by 0x41B0B0: key_send_line (gui-readline.c:548)
==23538==    by 0x4A44FD: signal_emit_real (signals.c:242)
==23538==    by 0x4A4770: signal_emit (signals.c:286)
==23538==    by 0x4588D6: sig_multi (keyboard.c:637)
==23538==    by 0x4A44FD: signal_emit_real (signals.c:242)
==23538==  Address 0x9D116F7 is 1 bytes before a block of size 1 alloc'd
==23538==    at 0x4A059F6: malloc (vg_replace_malloc.c:149)
==23538==    by 0x34306362AA: g_malloc (in /lib64/libglib-2.0.so.0.1400.6)
==23538==    by 0x343064D35E: g_strdup (in /lib64/libglib-2.0.so.0.1400.6)
==23538==    by 0x4496F0: cmd_help (fe-help.c:257)
==23538==    by 0x4A44FD: signal_emit_real (signals.c:242)
==23538==    by 0x4A4770: signal_emit (signals.c:286)
==23538==    by 0x48D7C8: parse_command (commands.c:899)
==23538==    by 0x48D948: event_command (commands.c:945)
==23538==    by 0x4A44FD: signal_emit_real (signals.c:242)
==23538==    by 0x4A4770: signal_emit (signals.c:286)
==23538==    by 0x41B0B0: key_send_line (gui-readline.c:548)
==23538==    by 0x4A44FD: signal_emit_real (signals.c:242)

which happens when executing a plain '/HELP'.
---
 src/fe-common/core/fe-help.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/fe-common/core/fe-help.c b/src/fe-common/core/fe-help.c
index 76e4c6d..98dfab9 100644
--- a/src/fe-common/core/fe-help.c
+++ b/src/fe-common/core/fe-help.c
@@ -255,8 +255,12 @@ static void cmd_help(const char *data)
        char *cmd, *ptr;
 
        cmd = g_strdup(data);
-       ptr = cmd+strlen(cmd);
-       while (ptr[-1] == ' ') ptr--; *ptr = '\0';
+       ptr = cmd + strlen(cmd);
+
+       while (ptr>cmd && ptr[-1] == ' ')
+               --ptr;
+
+       *ptr = '\0';
 
        g_strdown(cmd);
        show_help(cmd);
-- 
1.5.4.1


Reply via email to