readline: fix memory corruption when adding history

idx can be down to 0, so TERM_MAX_CMDS-idx+1 could be TERM_MAX_CMDS+1, which
exceeds the size of term_history.

Signed-off-by: Kaifeng Zhu <kaifeng.zhu@citrix.com>
Coverity-ID: 1055739
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/readline.c b/readline.c
index 85728412e67d4b56f511b6ed3e2a5fbb02954418..4b68726570d1ba45ef3889703220292ad28b588c 100644 (file)
--- a/readline.c
+++ b/readline.c
@@ -267,7 +267,7 @@ static void term_hist_add(const char *cmdline)
            new_entry = hist_entry;
            /* Put this entry at the end of history */
            memmove(&term_history[idx], &term_history[idx + 1],
-                   (TERM_MAX_CMDS - idx + 1) * sizeof(char *));
+                   (TERM_MAX_CMDS - (idx + 1)) * sizeof(char *));
            term_history[TERM_MAX_CMDS - 1] = NULL;
            for (; idx < TERM_MAX_CMDS; idx++) {
                if (term_history[idx] == NULL)