library crashes in instance.c libcouchbase_switch_to_backup_node.

library crashes when accessing into allocated memory at instance->backup_nodes[instance->backup_idx].

instance->backup_nodes[instance->backup_idx] is not necessarily NULL when instance->backup_idx is >= instance->nbackup_nodes.

This was fixed by changing line 729 from:

if (instance->backup_nodes[instance->backup_idx] == NULL)

{ --instance->backup_idx; libcouchbase_error_handler(instance, error, reason); return -1; }

to:

if (instance->backup_idx >= instance->nbackup_nodes || instance->backup_nodes[instance->backup_idx] == NULL) { --instance->backup_idx; libcouchbase_error_handler(instance, error, reason); return -1; }

This prevents indexing past the number of backup_nodes that have been allocated.