From 11e0883ee454f1baf172834c0fbae0202c7261b2 Mon Sep 17 00:00:00 2001
From: Jordan Lee <jordan@transmissionbt.com>
Date: Mon, 14 Mar 2011 02:39:11 +0000
Subject: [PATCH] (trunk libT) fix array-bounds-read in the UDP tracker code
 when an announce or scrape request times out

---
 libtransmission/announcer-udp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libtransmission/announcer-udp.c b/libtransmission/announcer-udp.c
index c74160086..a81a2813c 100644
--- a/libtransmission/announcer-udp.c
+++ b/libtransmission/announcer-udp.c
@@ -59,7 +59,7 @@ tau_sendto( tr_session * session,
     else
         sockfd = -1;
 
-    if( sockfd <  0 ) {
+    if( sockfd < 0 ) {
         errno = EAFNOSUPPORT;
         return -1;
     }
@@ -560,7 +560,9 @@ tau_tracker_upkeep( struct tau_tracker * tracker )
         else if( req->sent_at && ( req->sent_at + TAU_REQUEST_TTL < now ) ) {
             tau_announce_request_fail( tracker->session, req, FALSE, TRUE, NULL );
             tau_announce_request_free( req );
-            tr_ptrArrayRemove( reqs, i-- );
+            tr_ptrArrayRemove( reqs, i );
+            --i;
+            --n;
         }
     }
 
@@ -577,7 +579,9 @@ tau_tracker_upkeep( struct tau_tracker * tracker )
         else if( req->sent_at && ( req->sent_at + TAU_REQUEST_TTL < now ) ) {
             tau_scrape_request_fail( tracker->session, req, FALSE, TRUE, NULL );
             tau_scrape_request_free( req );
-            tr_ptrArrayRemove( reqs, i-- );
+            tr_ptrArrayRemove( reqs, i );
+            --i;
+            --n;
         }
     }
 }
-- 
2.40.0