From a9b3f951dddb14ac0188e3e451325592267a22d5 Mon Sep 17 00:00:00 2001
From: Steven Luo <steven+maemo@steven676.net>
Date: Sun, 13 Dec 2009 00:45:12 -0800
Subject: [PATCH 1/1] Fix off-by-one error in launch_other_browser

quote+1 has length one less than quote, so asking memmove() to move
strlen(quote)+1 bytes (including the \0) starting at quote+1 results in
writing one byte beyond the end of the memory area.  Found by valgrind.
---
 launcher.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/launcher.c b/launcher.c
index d9fa584..24dff0a 100644
--- a/launcher.c
+++ b/launcher.c
@@ -154,7 +154,7 @@ static void launch_other_browser(struct swb_context *ctx, char *uri) {
 
 			/* Move the string after the ', including the \0,
 			   over two chars */
-			memmove(quote+3, quote+1, strlen(quote)+1);
+			memmove(quote+3, quote+1, strlen(quote));
 			memcpy(quote, "%27", 3);
 			quote = quote + 3;
 		}
-- 
1.7.9.5