On Fri, Nov 04, 2011 at 11:10:01AM +0100, Markus Armbruster wrote: > readline_hist_add() moves the history entry to the end of history. It > uses memmove() to move rs->history[idx + 1..] to rs->history[idx..]. > However, its size argument is off by two array elements, so it writes > one element beyond rs->history[], and reads two. > > On my system, this clobbers rs->hist_entry and the hole right after > it. Since the function assigns to rs->hist_entry in time, the bug has > no ill effects for me. > > Spotted by Coverity. > > Signed-off-by: Markus Armbruster <arm...@redhat.com> > --- > readline.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-)
Thanks, applied to the trivial patches tree: http://repo.or.cz/w/qemu/stefanha.git/shortlog/refs/heads/trivial-patches Stefan
