From 880d4a88b10d2e520d5476ac8627d425884658f9 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Sun, 17 Dec 2006 23:00:17 +0000
Subject: [PATCH] fix possibe buffer-off-by one [from HEAD]

---
 src/ngircd/array.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/ngircd/array.c b/src/ngircd/array.c
index 436738db..bd18cd6f 100644
--- a/src/ngircd/array.c
+++ b/src/ngircd/array.c
@@ -12,7 +12,7 @@
 
 #include "array.h"
 
-static char UNUSED id[] = "$Id: array.c,v 1.11.2.1 2006/12/02 13:00:25 fw Exp $";
+static char UNUSED id[] = "$Id: array.c,v 1.11.2.2 2006/12/17 23:00:17 fw Exp $";
 
 #include <assert.h>
 
@@ -247,19 +247,21 @@ void *
 array_get(array * a, size_t membersize, size_t pos)
 {
 	size_t totalsize;
+	size_t posplus1 = pos + 1;
 
 	assert(membersize > 0);
 	assert(a != NULL);
 
-	if (array_UNUSABLE(a))
+	if (!posplus1 || array_UNUSABLE(a))
 		return NULL;
 
-	if (!safemult_sizet(pos, membersize, &totalsize))
+	if (!safemult_sizet(posplus1, membersize, &totalsize))
 		return NULL;
 
 	if (a->allocated < totalsize)
 		return NULL;
 
+	totalsize = pos * membersize;
 	return a->mem + totalsize;
 }