From c1bb8b254593233df8176b15ab9492acc7bce657 Mon Sep 17 00:00:00 2001
From: Michael Richters <gedankenexperimenter@gmail.com>
Date: Thu, 10 Feb 2022 19:22:05 -0600
Subject: [PATCH] Fix out-of-bounds memory write in KeyAddrEventQueue

This change prevents `KeyAddrEventQueue::remove()` from shifting values in
memory out of bounds of its arrays if `shift()` is called on an empty queue.  It
also adds a check to be sure that the entry removed is in the queue.

Signed-off-by: Michael Richters <gedankenexperimenter@gmail.com>
---
 src/kaleidoscope/KeyAddrEventQueue.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/kaleidoscope/KeyAddrEventQueue.h b/src/kaleidoscope/KeyAddrEventQueue.h
index 326b84e5..214e535a 100644
--- a/src/kaleidoscope/KeyAddrEventQueue.h
+++ b/src/kaleidoscope/KeyAddrEventQueue.h
@@ -103,6 +103,8 @@ class KeyAddrEventQueue {
   // rather than using a ring buffer because we expect it will be called much
   // less often than the queue is searched via a for loop.
   void remove(uint8_t n = 0) {
+    if (n >= length_ || length_ == 0)
+      return;
     // assert(length > n);
     --length_;
     for (uint8_t i{n}; i < length_; ++i) {