# HG changeset patch
# User Bram Moolenaar <bram@vim.org>
# Date 1433875164 -7200
# Node ID 70fdcdaf96a65db5fd2ef5d87ffa213f2397cb9b
# Parent  56f553a0bff6766f6f47ef3c0ecedd80487de0f6
patch 7.4.736
Problem:    Invalid memory access.
Solution:   Avoid going over the end of a NUL terminated string. (Dominique
            Pelle)

diff --git a/src/regexp.c b/src/regexp.c
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1157,7 +1157,7 @@ get_coll_element(pp)
     int		l = 1;
     char_u	*p = *pp;
 
-    if (p[1] == '.')
+    if (p[0] != NUL && p[1] == '.')
     {
 #ifdef FEAT_MBYTE
 	if (has_mbyte)
@@ -1228,8 +1228,9 @@ skip_anyof(p)
 	{
 	    if (get_char_class(&p) == CLASS_NONE
 		    && get_equi_class(&p) == 0
-		    && get_coll_element(&p) == 0)
-		++p; /* It was not a class name */
+		    && get_coll_element(&p) == 0
+		    && *p != NUL)
+		++p; /* it is not a class name and not NUL */
 	}
 	else
 	    ++p;
@@ -3156,7 +3157,7 @@ peekchr()
 		    /*
 		     * META contains everything that may be magic sometimes,
 		     * except ^ and $ ("\^" and "\$" are only magic after
-		     * "\v").  We now fetch the next character and toggle its
+		     * "\V").  We now fetch the next character and toggle its
 		     * magicness.  Therefore, \ is so meta-magic that it is
 		     * not in META.
 		     */
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -742,6 +742,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    736,
+/**/
     735,
 /**/
     734,