carray-replace: two overrun bugs.

* ffi.c (carray_replace): In the case when we replace a larger
range by a smaller one, when the upper part of the aray shifts
down, we are not correctly clearing to zeros the vacated part
of the array. The variable whole is a displacement from the
base of the array, not from ptr. Secondly, the copying loop
must go rom fr to below sn, not below vn; sn is derived from
vn but truncated not to go past the array.

* tests/017/carray.tl: New file. Several cases here fail
before this fix.

2 files changed, 18 insertions, 2 deletions

diff --git a/ffi.c b/ffi.c
index 6428bf91..8388b5cf 100644
--- a/ffi.c
+++ b/ffi.c
@@ -5877,11 +5877,11 @@ val carray_replace(val carray, val values, val from, val to)
       } else if (newrange < oldrange) {
         cnum delta = oldrange - newrange;
         memmove(ptr + newrange, ptr + oldrange, tail);
-        memset(ptr + whole - delta, 0, delta);
+        memset(scry->data + whole - delta, 0, delta);
       }
     }
 
-    for (; fn < vn; fn++, ptr += elsize) {
+    for (; fn < sn; fn++, ptr += elsize) {
       val item = seq_geti(&item_iter);
       eltft->put(eltft, item, ptr, self);
     }
diff --git a/tests/017/carray.tl b/tests/017/carray.tl
new file mode 100644
index 00000000..1d450d1a
--- /dev/null
+++ b/tests/017/carray.tl
@@ -0,0 +1,16 @@
+(load "../common")
+
+(let* ((bf (make-buf 16))
+       (ca (carray-buf bf (ffi uchar))))
+  (mtest
+    (buf-put-buf bf (make-buf 8 255) 8) #b'ffffffffffffffff'
+    bf #b'0000000000000000 ffffffffffffffff'
+    (carray-set-length ca 8) nil
+    (set [ca -1..10] #(1 2 3)) #(1 2 3)
+    bf #b'0000000000000001 ffffffffffffffff'
+    (set [ca 2..7] #(1 2 3)) #(1 2 3)
+    bf #b'0000010203010000 ffffffffffffffff'
+    (set [ca 3..4] #(10 11 12)) #(10 11 12)
+    bf #b'0000010A0B0C0301 ffffffffffffffff'
+    (set [ca 3..3] #(9)) #(9)
+    bf #b'000001090A0B0C03 ffffffffffffffff'))