From 8fbc87707e3f10fd3a22ec222561a0684178b3e5 Mon Sep 17 00:00:00 2001
From: Joachim Nilsson <troglobit@gmail.com>
Date: Tue, 4 Nov 2014 23:50:45 +0100
Subject: [PATCH] Fix out-of-bounds access in user key binding routines.

Coverity CID #56737, #56738

Signed-off-by: Joachim Nilsson <troglobit@gmail.com>
---
 src/editline.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/editline.c b/src/editline.c
index aa1f162..b9796a4 100644
--- a/src/editline.c
+++ b/src/editline.c
@@ -1683,7 +1683,7 @@ static size_t find_key_in_map(int key, el_keymap_t map[], size_t mapsz)
 {
     size_t i;
 
-    for (i = 0; map[i].Function != NULL; i++) {
+    for (i = 0; map[i].Function; i++) {
 	if (map[i].Key == key)
 	    return i;
     }
@@ -1705,7 +1705,9 @@ static el_status_t el_bind_key_in_map(int key, el_keymap_func_t function, el_key
 {
     size_t creat, pos = find_key_in_map(key, map, mapsz);
 
-    if (pos == mapsz) {
+    /* Must check that pos is not the next to last array position,
+     * otherwise we will write out-of-bounds to terminate the list. */
+    if (pos >= mapsz - 1) {
 	errno = ENOMEM;
 	return CSeof;
     }