diff options
| author | Brandon Richardson <brandon.richardson@siemens.com> | 2022-02-19 11:45:03 +0000 |
|---|---|---|
| committer | Bram Moolenaar <Bram@vim.org> | 2022-02-19 11:45:03 +0000 |
| commit | a493b6506b67887a1cc2d1c00a896598c3b2d445 (patch) | |
| tree | 74131ce6b30567ec0f9c5bf9d80bab929abb5a16 | |
| parent | 5921aeb5741fc6e84c870d68c7c35b93ad0c9f87 (diff) | |
patch 8.2.4419: illegal memory access when using 20 highlightsv8.2.4419
Problem: Illegal memory access when using exactly 20 highlights.
Solution: Add one more item in the array. (Brandon Richardson,
closes #9800)
| -rw-r--r-- | src/buffer.c | 13 | ||||
| -rw-r--r-- | src/testdir/test_tabline.vim | 11 | ||||
| -rw-r--r-- | src/version.c | 2 |
3 files changed, 22 insertions, 4 deletions
diff --git a/src/buffer.c b/src/buffer.c index bb9c773679..27e8643870 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -4170,8 +4170,11 @@ build_stl_str_hl( { stl_items = ALLOC_MULT(stl_item_T, stl_items_len); stl_groupitem = ALLOC_MULT(int, stl_items_len); - stl_hltab = ALLOC_MULT(stl_hlrec_T, stl_items_len); - stl_tabtab = ALLOC_MULT(stl_hlrec_T, stl_items_len); + + // Allocate one more, because the last element is used to indicate the + // end of the list. + stl_hltab = ALLOC_MULT(stl_hlrec_T, stl_items_len + 1); + stl_tabtab = ALLOC_MULT(stl_hlrec_T, stl_items_len + 1); } #ifdef FEAT_EVAL @@ -4251,11 +4254,13 @@ build_stl_str_hl( if (new_groupitem == NULL) break; stl_groupitem = new_groupitem; - new_hlrec = vim_realloc(stl_hltab, sizeof(stl_hlrec_T) * new_len); + new_hlrec = vim_realloc(stl_hltab, + sizeof(stl_hlrec_T) * (new_len + 1)); if (new_hlrec == NULL) break; stl_hltab = new_hlrec; - new_hlrec = vim_realloc(stl_tabtab, sizeof(stl_hlrec_T) * new_len); + new_hlrec = vim_realloc(stl_tabtab, + sizeof(stl_hlrec_T) * (new_len + 1)); if (new_hlrec == NULL) break; stl_tabtab = new_hlrec; diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim index 5560a2122f..e58a412c5a 100644 --- a/src/testdir/test_tabline.vim +++ b/src/testdir/test_tabline.vim @@ -134,6 +134,17 @@ func Test_tabline_empty_group() set tabline= endfunc +" When there are exactly 20 tabline format items (the exact size of the +" initial tabline items array), test that we don't write beyond the size +" of the array. +func Test_tabline_20_format_items_no_overrun() + set showtabline=2 + let tabline = repeat('%#StatColorHi2#', 20) + let &tabline = tabline + redrawtabline + + set showtabline& tabline& +endfunc " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 5cb7218706..eaf29a4400 100644 --- a/src/version.c +++ b/src/version.c @@ -751,6 +751,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 4419, +/**/ 4418, /**/ 4417, |