From cbfa0c44184748728a600fd69e14c5937497618c Mon Sep 17 00:00:00 2001
From: blackpawn <jim@blackpawn.com>
Date: Wed, 2 Dec 2015 01:16:29 -0600
Subject: [PATCH 1/3] Fix stb_arr_insertn and stb_arr_deleten memmove lengths

They were moving memory beyond the array bounds.
---
 stb.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/stb.h b/stb.h
index d8aaf37..2d9dab6 100644
--- a/stb.h
+++ b/stb.h
@@ -3249,7 +3249,7 @@ void stb__arr_insertn_(void **pp, int size, int i, int n  STB__PARAMS)
 
       z = stb_arr_len2(p);
       stb__arr_addlen_(&p, size, i  STB__ARGS);
-      memmove((char *) p + (i+n)*size, (char *) p + i*size, size * (z-i));
+      memmove((char *) p + (i+n)*size, (char *) p + i*size, size * (z-(i+n)));
    }
    *pp = p;
 }
@@ -3258,7 +3258,7 @@ void stb__arr_deleten_(void **pp, int size, int i, int n  STB__PARAMS)
 {
    void *p = *pp;
    if (n) {
-      memmove((char *) p + i*size, (char *) p + (i+n)*size, size * (stb_arr_len2(p)-i));
+      memmove((char *) p + i*size, (char *) p + (i+n)*size, size * (stb_arr_len2(p)-(i+n)));
       stb_arrhead2(p)->len -= n;
    }
    *pp = p;

From 28f1b0f5698fe4e05410250895ee7f75d0db4559 Mon Sep 17 00:00:00 2001
From: blackpawn <jim@blackpawn.com>
Date: Wed, 2 Dec 2015 22:34:04 -0600
Subject: [PATCH 2/3] Fix for stb_arr_insert

---
 stb.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stb.h b/stb.h
index 2d9dab6..15ecf51 100644
--- a/stb.h
+++ b/stb.h
@@ -3062,7 +3062,7 @@ typedef struct
 #define stb_arr_insertn(a,i,n) (stb__arr_insertn((void **) &(a), sizeof(*a), i, n))
 
 // insert an element at i
-#define stb_arr_insert(a,i,v)  (stb__arr_insertn((void **) &(a), sizeof(*a), i, n), ((a)[i] = v))
+#define stb_arr_insert(a,i,v)  (stb__arr_insertn((void **) &(a), sizeof(*a), i, 1), ((a)[i] = v))
 
 // delete N elements from the middle starting at index 'i'
 #define stb_arr_deleten(a,i,n) (stb__arr_deleten((void **) &(a), sizeof(*a), i, n))

From a4ab8c08eb4bd74dc22d98e0b1bb70372121fa36 Mon Sep 17 00:00:00 2001
From: blackpawn <jim@blackpawn.com>
Date: Wed, 2 Dec 2015 23:12:12 -0600
Subject: [PATCH 3/3] Corrected fix for stb_insertn

On insert the memmove length wasn't incorrect but the addlen call was.
---
 stb.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/stb.h b/stb.h
index 15ecf51..eb2b7f6 100644
--- a/stb.h
+++ b/stb.h
@@ -3248,8 +3248,8 @@ void stb__arr_insertn_(void **pp, int size, int i, int n  STB__PARAMS)
       }
 
       z = stb_arr_len2(p);
-      stb__arr_addlen_(&p, size, i  STB__ARGS);
-      memmove((char *) p + (i+n)*size, (char *) p + i*size, size * (z-(i+n)));
+      stb__arr_addlen_(&p, size, n  STB__ARGS);
+      memmove((char *) p + (i+n)*size, (char *) p + i*size, size * (z-i));
    }
    *pp = p;
 }