From 1af2fd44f0a66fd0d94c224319db0b128d42a288 Mon Sep 17 00:00:00 2001
From: Justus Winter <justus@g10code.com>
Date: Thu, 21 Jul 2016 11:49:33 +0200
Subject: [PATCH] g10: Fix crash.

* g10/tofu.c (tofu_closedbs): Fix freeing database handles up to the
cache limit.  Previously, this would crash if db_cache_count == count.

Reported-by: Ben Kibbey <bjk@luxsci.net>
Signed-off-by: Justus Winter <justus@g10code.com>
---
 g10/tofu.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/g10/tofu.c b/g10/tofu.c
index 471aec6f3..0b9d84822 100644
--- a/g10/tofu.c
+++ b/g10/tofu.c
@@ -1104,8 +1104,14 @@ tofu_closedbs (ctrl_t ctrl)
              is easy to skip the first COUNT entries since we still
              have a handle on the old head.  */
           int skip = DB_CACHE_ENTRIES - count;
-          while (-- skip > 0)
-            old_head = old_head->next;
+          if (skip < 0)
+            for (old_head = db_cache, skip = DB_CACHE_ENTRIES;
+                 skip > 0;
+                 old_head = old_head->next, skip--)
+              { /* Do nothing.  */ }
+          else
+            while (-- skip > 0)
+              old_head = old_head->next;
 
           *old_head->prevp = NULL;
 
@@ -1116,6 +1122,8 @@ tofu_closedbs (ctrl_t ctrl)
               old_head = db;
               db_cache_count --;
             }
+
+          log_assert (db_cache_count == DB_CACHE_ENTRIES);
         }
     }