Fix two potential buffer under/overruns.

The one in wcwidth.c actually came up in one of my valgrind runs: if
you passed it a non-null-terminated wide string (specifically, one
that reaches invalid memory exactly when the length parameter runs
out), it would illegally load the character beyond the end of the
string before noticing that the length parameter said it shouldn't.

The one in bk_man.c may well not be able to come up at all, but I
spotted it in passing and I thought I might as well fix it - it makes
me twitch on general principles to see any use of buf[len-1] without
having checked len>0 first.

2 files changed, 2 insertions, 2 deletions

diff --git a/bk_man.c b/bk_man.c
index 45eb511..68b942f 100644
--- a/bk_man.c
+++ b/bk_man.c
@@ -629,7 +629,7 @@ static int man_rdaddwc(rdstringc *rs, word *text, word *end,
 	    charset_state s2 = *state;
 	    int len = ustrlen(text->text), hyphen = FALSE;
 
-	    if (text->breaks && text->text[len - 1] == '-') {
+	    if (text->breaks && len > 0 && text->text[len - 1] == '-') {
 		len--;
 		hyphen = TRUE;
 	    }
diff --git a/wcwidth.c b/wcwidth.c
index bc4ae7f..e96b7a1 100644
--- a/wcwidth.c
+++ b/wcwidth.c
@@ -124,7 +124,7 @@ int mk_wcswidth(const wchar_t *pwcs, size_t n)
 {
   int w, width = 0;
 
-  for (;*pwcs && n-- > 0; pwcs++)
+  for (; n-- > 0 && *pwcs; pwcs++)
     if ((w = mk_wcwidth(*pwcs)) < 0)
       return -1;
     else