patch 8.1.0404: accessing invalid memory with long argument namev8.1.0404

Problem:    Accessing invalid memory with long argument name.
Solution:   Use item_count instead of checking for a terminating NULL.
            (Dominique Pelle, closes #3444)

2 files changed, 10 insertions, 1 deletions

diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim
index a6c71c9f5f..c558aab7d5 100644
--- a/src/testdir/test_arglist.vim
+++ b/src/testdir/test_arglist.vim
@@ -411,3 +411,10 @@ func Test_arg_all_expand()
   call assert_equal('notexist Xx\ x runtest.vim', expand('##'))
   call delete('Xx x')
 endfunc
+
+func Test_large_arg()
+  " Argument longer or equal to the number of columns used to cause
+  " access to invalid memory.
+  exe 'argadd ' .repeat('x', &columns)
+  args
+endfunc
diff --git a/src/version.c b/src/version.c
index 30b79de151..ec76b99de4 100644
--- a/src/version.c
+++ b/src/version.c
@@ -795,6 +795,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    404,
+/**/
     403,
 /**/
     402,
@@ -1725,7 +1727,7 @@ list_in_columns(char_u **items, int size, int current)
     if (Columns < width)
     {
 	/* Not enough screen columns - show one per line */
-	for (i = 0; items[i] != NULL; ++i)
+	for (i = 0; i < item_count; ++i)
 	{
 	    version_msg_wrap(items[i], i == current);
 	    if (msg_col > 0)