From: Ralph Corderoy <ralph@inputplus.co.uk>
Date: Thu, 3 Nov 2016 10:36:30 +0000 (+0000)
Subject: ap: Fix write past end of addrs[] array.
X-Git-Url: https://diplodocus.org/git/nmh/commitdiff_plain/e62400a894407812a6774c1a0eddde91142a42eb?ds=inline;hp=bfc6b93af241cdc6193a19bcd115af8ad1390a73

ap: Fix write past end of addrs[] array.

Not spotted by valgrind because that doesn't check heap or stack arrays.
---

diff --git a/uip/ap.c b/uip/ap.c
index 89b207b5..b158416a 100644
--- a/uip/ap.c
+++ b/uip/ap.c
@@ -51,7 +51,7 @@ main (int argc, char **argv)
     int width = -1, status = 0;
     char *cp, *form = NULL, *format = NULL, *nfs;
     char buf[BUFSIZ], **argp;
-    char **arguments, *addrs[NADDRS];
+    char **arguments, *addrs[NADDRS + 1]; /* Includes terminating NULL. */
 
     if (nmh_init(argv[0], 2)) { return 1; }
 
@@ -96,7 +96,7 @@ main (int argc, char **argv)
 		    continue;
 	    }
 	}
-	if (addrp > NADDRS)
+	if (addrp == NADDRS)
 	    adios (NULL, "more than %d addresses", NADDRS);
 	else
 	    addrs[addrp++] = cp;