From: Steven Luo <steven+maemo@steven676.net>
Date: Sun, 13 Dec 2009 08:45:12 +0000 (-0800)
Subject: Fix off-by-one error in launch_other_browser
X-Git-Tag: v3.0rc1~22
X-Git-Url: http://git.maemo.org/git/?p=browser-switch;a=commitdiff_plain;h=a9b3f951dddb14ac0188e3e451325592267a22d5

Fix off-by-one error in launch_other_browser

quote+1 has length one less than quote, so asking memmove() to move
strlen(quote)+1 bytes (including the \0) starting at quote+1 results in
writing one byte beyond the end of the memory area.  Found by valgrind.
---

diff --git a/launcher.c b/launcher.c
index d9fa584..24dff0a 100644
--- a/launcher.c
+++ b/launcher.c
@@ -154,7 +154,7 @@ static void launch_other_browser(struct swb_context *ctx, char *uri) {
 
 			/* Move the string after the ', including the \0,
 			   over two chars */
-			memmove(quote+3, quote+1, strlen(quote)+1);
+			memmove(quote+3, quote+1, strlen(quote));
 			memcpy(quote, "%27", 3);
 			quote = quote + 3;
 		}