From 1b2cb239d8f0c940526bbc89d659f2ac1396528d Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@cs.stanford.edu>
Date: Wed, 14 Mar 2012 22:05:54 -0700
Subject: [PATCH] ods-reader: Fix write beyond end of buffer.

The compiler multiplies by sizeof *var_spec for us here, so doing
it ourselves writes past the end of the allocated space.

Tracked down with valgrind.

Reported-by: bojo42 <bojo42@gmail.com>
---
 src/data/ods-reader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/data/ods-reader.c b/src/data/ods-reader.c
index 122e98c76d..aedea078df 100644
--- a/src/data/ods-reader.c
+++ b/src/data/ods-reader.c
@@ -462,7 +462,7 @@ ods_open_reader (struct spreadsheet_read_info *gri, struct dictionary **dict)
 		  var_spec = xrealloc (var_spec, sizeof (*var_spec) * (idx + 1));
 
 		  /* xrealloc (unlike realloc) doesn't initialise its memory to 0 */
-		  memset (var_spec + n_var_specs * sizeof (*var_spec),
+		  memset (var_spec + n_var_specs,
 			  0, 
 			  (n_var_specs - idx + 1) * sizeof (*var_spec));
 		  n_var_specs = idx + 1;
-- 
2.30.2