# HG changeset patch
# User Bram Moolenaar <bram@vim.org>
# Date 1397204573 -7200
# Node ID afb542ea210cb9fc5fa8c5359bb4814370024b80
# Parent  6ca0d241c8bfdaab3b32a1e39ce0eddd9a2b1ef6
updated for version 7.4.256
Problem:    Using systemlist() may cause a crash and does not handle NUL
	    characters properly.
Solution:   Increase the reference count, allocate memory by length. (Yasuhiro
	    Matsumoto)

diff --git a/src/eval.c b/src/eval.c
--- a/src/eval.c
+++ b/src/eval.c
@@ -18334,16 +18334,17 @@ get_cmd_output_as_rettv(argvars, rettv, 
 	for (i = 0; i < len; ++i)
 	{
 	    start = res + i;
-	    for (end = start; i < len && *end != NL; ++end)
+	    while (i < len && res[i] != NL)
 		++i;
-
-	    s = vim_strnsave(start, (int)(end - start));
+	    end = res + i;
+
+	    s = alloc((unsigned)(end - start + 1));
 	    if (s == NULL)
 		goto errret;
 
-	    for (p = s, end = s + (end - start); p < end; ++p)
-		if (*p == NUL)
-		    *p = NL;
+	    for (p = s; start < end; ++p, ++start)
+		*p = *start == NUL ? NL : *start;
+	    *p = NUL;
 
 	    li = listitem_alloc();
 	    if (li == NULL)
@@ -18356,6 +18357,7 @@ get_cmd_output_as_rettv(argvars, rettv, 
 	    list_append(list, li);
 	}
 
+	++list->lv_refcount;
 	rettv->v_type = VAR_LIST;
 	rettv->vval.v_list = list;
 	list = NULL;
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -735,6 +735,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    256,
+/**/
     255,
 /**/
     254,