Fix off-by-one in memmove() calculation which caused a crash on Linux when

the expanded specified with or precision was more than one digit long.

Fix off-by-one in memmove() calculation which caused a crash on Linux when
3cd17446 · deuce · 979b3194 · 3cd17446
Commit 3cd17446 authored 9 years ago by deuce
--- a/src/xpdev/xpprintf.c
+++ b/src/xpdev/xpprintf.c
@@ -409,7 +409,7 @@ char* DLLCALL xp_asprintf_next(char *format, int type, ...)
 			 * Move trailing end to make space... leaving the * where it
 			 * is so it can be overwritten
 			 */
-			memmove(p+i, p+1, format-p+format_len);
+			memmove(p+i, p+1, format-p+format_len-1);
 			memcpy(p, int_buf, i);
 			*(size_t *)(format+sizeof(size_t))+=i-1;
 		}
@@ -450,7 +450,7 @@ char* DLLCALL xp_asprintf_next(char *format, int type, ...)
 				 * Move trailing end to make space... leaving the * where it
 				 * is so it can be overwritten
 				 */
-				memmove(p+i, p+1, format-p+format_len);
+				memmove(p+i, p+1, format-p+format_len-1);
 				memcpy(p, int_buf, i);
 				*(size_t *)(format+sizeof(size_t))+=i-1;
 			}