$OpenBSD: patch-vi_v_txt_c,v 1.1 2013/05/21 17:47:37 bentley Exp $

Fix out of bounds buffer access.
Original commit message in base nvi by millert@:

When ^W (WERASE) is hit in insert mode it's possible that the line
buffer is accessed out of bounds. If 'max' == 0 and 'tp->cno' == 1
the 'tp->cno' value is first reduced by one and then 'tp->lb' is
accessed at 'tp->cno' - 1.  Also remove dead (and incorrect) code
in the TXT_ALTWERASE case.  From Arto Jonsson; OK martynas@

--- vi/v_txt.c.orig	Sun Oct  7 08:15:31 2012
+++ vi/v_txt.c	Sun May 19 17:37:48 2013
@@ -1106,12 +1106,12 @@ leftmargin:		tp->lb[tp->cno - 1] = ' ';
 		 */
 		if (LF_ISSET(TXT_TTYWERASE))
 			while (tp->cno > max) {
+				if (ISBLANK(tp->lb[tp->cno - 1]))
+					break;
 				--tp->cno;
 				++tp->owrite;
 				if (FL_ISSET(is_flags, IS_RUNNING))
 					tp->lb[tp->cno] = ' ';
-				if (ISBLANK(tp->lb[tp->cno - 1]))
-					break;
 			}
 		else {
 			if (LF_ISSET(TXT_ALTWERASE)) {
@@ -1119,19 +1119,17 @@ leftmargin:		tp->lb[tp->cno - 1] = ' ';
 				++tp->owrite;
 				if (FL_ISSET(is_flags, IS_RUNNING))
 					tp->lb[tp->cno] = ' ';
-				if (ISBLANK(tp->lb[tp->cno - 1]))
-					break;
 			}
 			if (tp->cno > max)
 				tmp = inword(tp->lb[tp->cno - 1]);
 			while (tp->cno > max) {
+				if (tmp != inword(tp->lb[tp->cno - 1])
+				    || ISBLANK(tp->lb[tp->cno - 1]))
+					break;
 				--tp->cno;
 				++tp->owrite;
 				if (FL_ISSET(is_flags, IS_RUNNING))
 					tp->lb[tp->cno] = ' ';
-				if (tmp != inword(tp->lb[tp->cno - 1])
-				    || ISBLANK(tp->lb[tp->cno - 1]))
-					break;
 			}
 		}
 
