From f56c95fdad5af521887f8cd7bc15729b5355231d Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 21 Jul 2020 19:25:18 +0200
Subject: patch 8.2.1259: empty group in 'tabline' may cause using an invalid
 pointer

Problem:    Empty group in 'tabline' may cause using an invalid pointer.
Solution:   Set the group start position. (closes #6505)
---
 src/buffer.c                 |  9 ++++++++-
 src/testdir/test_tabline.vim | 23 +++++++++++++++++++++++
 src/version.c                |  2 ++
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/buffer.c b/src/buffer.c
index 40ca25dfa5..54afb13b08 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -4229,12 +4229,19 @@ build_stl_str_hl(
 		}
 		if (n == curitem && group_start_userhl == group_end_userhl)
 		{
+		    // empty group
 		    p = t;
 		    l = 0;
-		    // do not use the highlighting from the removed group
 		    for (n = groupitem[groupdepth] + 1; n < curitem; n++)
+		    {
+			// do not use the highlighting from the removed group
 			if (item[n].type == Highlight)
 			    item[n].type = Empty;
+			// adjust the start position of TabPage to the next
+			// item position
+			if (item[n].type == TabPage)
+			    item[n].start = p;
+		    }
 		}
 	    }
 	    if (l > item[groupitem[groupdepth]].maxwid)
diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
index eff95082cc..6cfed7d166 100644
--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
@@ -112,4 +112,27 @@ func Test_tabline_flags()
   %bw!
 endfunc
 
+function EmptyTabname()
+  return ""
+endfunction
+
+function MakeTabLine() abort
+  let titles = map(range(1, tabpagenr('$')), '"%( %" . v:val . "T%{EmptyTabname()}%T %)"')
+  let sep = 'あ'
+  let tabpages = join(titles, sep)
+  return tabpages .. sep .. '%=%999X X'
+endfunction
+
+func Test_tabline_empty_group()
+  " this was reading invalid memory
+  set tabline=%!MakeTabLine()
+  tabnew
+  redraw!
+
+  tabclose
+  set tabline=
+endfunc
+
+
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 1aacd3b39b..528c8c0aaf 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1259,
 /**/
     1258,
 /**/
-- 
cgit v1.2.3