From db56a3b4fd4c10f645b77c759e779efb3468e820 Mon Sep 17 00:00:00 2001
From: Axel Waggershauser <awagger@gmail.com>
Date: Fri, 2 Jun 2017 17:02:25 +0200
Subject: [PATCH] fix memory corruption in gp_log_remove_func

The gp_log_remove_func implementation had 2 severe issues:
* it moved way to few bytes
* it moved the wrong bytes to the wrong place, destroying libc memory
management structures (resulting in different types of crashes).

When the first item has to be removed, it moved a couple bytes from the
start of the array to the left (before the start of the array), instead
of moving the second and following items over the first one.
---
 libgphoto2_port/libgphoto2_port/gphoto2-port-log.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libgphoto2_port/libgphoto2_port/gphoto2-port-log.c b/libgphoto2_port/libgphoto2_port/gphoto2-port-log.c
index cc03bef654..cf9dce38c7 100644
--- a/libgphoto2_port/libgphoto2_port/gphoto2-port-log.c
+++ b/libgphoto2_port/libgphoto2_port/gphoto2-port-log.c
@@ -141,7 +141,7 @@ gp_log_remove_func (int id)
 
 	for (i=0;i<log_funcs_count;i++) {
 		if (log_funcs[i].id == id) {
-			memmove (log_funcs + i - 1, log_funcs + i, log_funcs_count - i);
+			memmove (log_funcs + i, log_funcs + i + 1, sizeof(LogFunc) * (log_funcs_count - i - 1));
 			log_funcs_count--;
 			return GP_OK;
 		}