quote+1 has length one less than quote, so asking memmove() to move
strlen(quote)+1 bytes (including the \0) starting at quote+1 results in
writing one byte beyond the end of the memory area. Found by valgrind.
/* Move the string after the ', including the \0,
over two chars */
/* Move the string after the ', including the \0,
over two chars */
- memmove(quote+3, quote+1, strlen(quote)+1);
+ memmove(quote+3, quote+1, strlen(quote));
memcpy(quote, "%27", 3);
quote = quote + 3;
}
memcpy(quote, "%27", 3);
quote = quote + 3;
}