Fix a memory access bug in the trie construction. When we attempt to

examine the partially built switch node at a given depth, we must
abort the attempt if that depth is _at least_ tb->switchsize, not just
if it's greater (since, as usual, elements in the array exist up to
but not including tb->switchsize).

This was reported as a segfault by an AIX user recently, but turns out
not to be a platform-specific issue: valgrind confirms that it's wrong
on Linux too, even though it hasn't happened to explode for anyone.

git-svn-id: svn://svn.tartarus.org/sgt/agedu@9693 cda61777-01e9-0310-a592-d414129be87e

diff --git a/trie.c b/trie.c
index 4857891..d170458 100644 (file)
--- a/trie.c
+++ b/trie.c
@@ -218,7 +218,7 @@ static off_t triebuild_unwind(triebuild *tb, int targetdepth, int *outcount)
     while (depth > targetdepth) {
        int odepth = depth;
        while (depth > targetdepth &&
-              (depth-1 > tb->switchsize || !tb->switches ||
+              (depth-1 >= tb->switchsize || !tb->switches ||
                tb->switches[depth-1].len == 0))
            depth--;
        if (odepth > depth) {