Hi, Jeremy

> 172   for (int i = 0; i < len; i++)
> 
> If len is less than i, the loop exits.  No call to memmove.
> 

Consider this, ss is '^^^^'.

First loop: len = 4, i = 0, memmove will get called. ss is '^^^^'.

Second loop: len = 3, i = 2, ss[i+1](ss[3]) is still '^', so before
memmove, i = 3, and len = 2. The third param of memmove would be
(size_t)-1.

Same thing happens when ss is '^^aaaaaaaaaaaaaaaaaaa^'.

First loop: after memmove, ss is '^aaaaaaaaaaaaaaaaaaa^^'.
Last loop: ss[i] is the first '^' after 'a', ss[i+1](ss[len]) is the last '^'.
        memmove gets called then.

The issue is that the code assumes ss[len] is always 0. However, when memmove
gets called and the original ss[len-1] = '^', after that, the new len,
ss[len-1] = ss[len] = '^'.

When i = len-1, ss[i] and ss[i+1] are '^', len would be less than i when call
memmove.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to