From 29049507ec34efd59ce6de7cff524fb44b47f934 Mon Sep 17 00:00:00 2001
From: Matt Stancliff <matt@genges.com>
Date: Wed, 14 Jan 2015 11:10:25 -0500
Subject: [PATCH] Fix potential invalid read past end of array

If array has N elements, we can't read +1 if we are already at N.

Also, we need to move elements by their storage size in the array,
not just by individual bytes.
---
 src/cluster.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/cluster.c b/src/cluster.c
index 71b17c97..ba84b3a9 100644
--- a/src/cluster.c
+++ b/src/cluster.c
@@ -783,8 +783,11 @@ int clusterNodeRemoveSlave(clusterNode *master, clusterNode *slave) {
 
     for (j = 0; j < master->numslaves; j++) {
         if (master->slaves[j] == slave) {
-            memmove(master->slaves+j,master->slaves+(j+1),
-                (master->numslaves-1)-j);
+            if ((j+1) < master->numslaves) {
+                int remaining_slaves = (master->numslaves - j) - 1;
+                memmove(master->slaves+j,master->slaves+(j+1),
+                        (sizeof(*master->slaves) * remaining_slaves));
+            }
             master->numslaves--;
             return REDIS_OK;
         }