From 3f1e03edd93bcbb1643291a4e0e462d1dc0c7019 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Sun, 17 Dec 2006 22:52:43 +0000
Subject: [PATCH] fix possibe buffer-off-by one

---
 src/ngircd/array.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/ngircd/array.c b/src/ngircd/array.c
index bc28d042..1342c670 100644
--- a/src/ngircd/array.c
+++ b/src/ngircd/array.c
@@ -12,7 +12,7 @@
 
 #include "array.h"
 
-static char UNUSED id[] = "$Id: array.c,v 1.12 2006/09/30 21:49:46 fw Exp $";
+static char UNUSED id[] = "$Id: array.c,v 1.13 2006/12/17 22:52:43 fw Exp $";
 
 #include <assert.h>
 
@@ -247,19 +247,21 @@ void *
 array_get(array * a, size_t membersize, size_t pos)
 {
 	size_t totalsize;
+	size_t posplus1 = pos + 1;
 
 	assert(membersize > 0);
 	assert(a != NULL);
 
-	if (array_UNUSABLE(a))
+	if (!posplus1 || array_UNUSABLE(a))
 		return NULL;
 
-	if (!safemult_sizet(pos, membersize, &totalsize))
+	if (!safemult_sizet(posplus1, membersize, &totalsize))
 		return NULL;
 
 	if (a->allocated < totalsize)
 		return NULL;
 
+	totalsize = pos * membersize;
 	return a->mem + totalsize;
 }
 
-- 
2.39.2