From cb1bd3496594d5e4060d990b4c6bac748fb974c9 Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@raeburn.org>
Date: Tue, 24 Nov 2015 01:16:10 -0500
Subject: [PATCH] Fix kbd_buffer iteration loop in readable_events

* src/keyboard.c (readable_events): Wrap the event pointer back to the
start of the kbd_buffer array inside the top of the loop instead of
right before checking the loop condition, since kbd_fetch_ptr and
kbd_store_ptr point past the end of the array to mean that element 0
is next. (bug#21935)
---
 src/keyboard.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/src/keyboard.c b/src/keyboard.c
index 849066c3c26..c9e58e7a086 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -3313,14 +3313,12 @@ readable_events (int flags)
 #endif
 		   ))
         {
-          union buffered_input_event *event;
-
-          event = ((kbd_fetch_ptr < kbd_buffer + KBD_BUFFER_SIZE)
-                   ? kbd_fetch_ptr
-                   : kbd_buffer);
+          union buffered_input_event *event = kbd_fetch_ptr;
 
 	  do
 	    {
+              if (event == kbd_buffer + KBD_BUFFER_SIZE)
+                event = kbd_buffer;
 	      if (!(
 #ifdef USE_TOOLKIT_SCROLL_BARS
 		    (flags & READABLE_EVENTS_FILTER_EVENTS) &&
@@ -3337,8 +3335,6 @@ readable_events (int flags)
 		       && event->kind == BUFFER_SWITCH_EVENT))
 		return 1;
 	      event++;
-              if (event == kbd_buffer + KBD_BUFFER_SIZE)
-                event = kbd_buffer;
 	    }
 	  while (event != kbd_store_ptr);
         }
-- 
2.39.2