From 2c4948572c2cccdf2fb23d8a69c0053ba20e573e Mon Sep 17 00:00:00 2001
From: Reini Urban <rurban@cpanel.net>
Date: Tue, 2 Dec 2014 22:25:35 +0100
Subject: [PATCH] [pmc] rpa: fix invalid read in delete_keyed_int, off by one

with (1,9,10) and key=1 we read one too far.
repro:
  valgrind ./parrot_old -t20 t/compilers/pge/p5regex/p5rx.t
---
 src/pmc/resizablepmcarray.pmc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/pmc/resizablepmcarray.pmc b/src/pmc/resizablepmcarray.pmc
index f73c051565..4b3a75f133 100644
--- a/src/pmc/resizablepmcarray.pmc
+++ b/src/pmc/resizablepmcarray.pmc
@@ -531,8 +531,7 @@ Delete the element at index C<key> and shift the rest to the left.
         }
         else {
             PMC ** const off = &data[offset+key];
-            memmove(off, off + 1,
-                    (size - key) * sizeof (PMC *));
+            memmove(off, off + 1, (size - key - 1) * sizeof (PMC *));
         }
 #else
         for (i = key + offset; i < size - 1; ++i)