I'd say you're unlucky then graydot
Perhaps the best way to demonstrate the over-run is as such:
Code:
char arr[0]; /* not legal, but this is for demo purposes :) */
size_t count = 0;
char tmp;
scanf("%c", &tmp);
count = 1;
resize arr to count bytes... That is arr now has size 1.
/* at this point arr has size of 1 element */
arr[count] = '\0'; WRONG count = 1, which is out of bounds in this case. You should get a segfault.
arr[count - 1] = tmp; Right, it's in bounds. But legally there should be no nul-terminator after it.
... and the loop of errors repeats
And the reason it didn't SegFault is probably because the realloc() gave you more bytes than you asked for (possibly to be on a word boundary). Consider yourself unlucky too Theoren.