# HG changeset patch
# User Christian Brabandt <cb@256bit.org>
# Date 1517759105 -3600
# Node ID a49a5419a83f927f9d9097c4d42693082b713ed9
# Parent  a577d6c63cff73bf285defafd93e919792a65e33
patch 8.0.1468: illegal memory access in del_bytes()

commit https://github.com/vim/vim/commit/191f18bad0b5c48afa05c3e8a00f3ced993f6a38
Author: Bram Moolenaar <Bram@vim.org>
Date:   Sun Feb 4 16:38:47 2018 +0100

    patch 8.0.1468: illegal memory access in del_bytes()

    Problem:    Illegal memory access in del_bytes().
    Solution:   Check for negative byte count. (Christian Brabandt, closes https://github.com/vim/vim/issues/2466)

diff --git a/src/message.c b/src/message.c
--- a/src/message.c
+++ b/src/message.c
@@ -761,7 +761,7 @@ emsgn(char_u *s, long n)
     void
 iemsg(char_u *s)
 {
-    msg(s);
+    emsg(s);
 #ifdef ABORT_ON_INTERNAL_ERROR
     abort();
 #endif
@@ -4993,7 +4993,7 @@ vim_vsnprintf_typval(
 			    zero_padding = 0;
 			}
 			else
-                        {
+			{
 			    /* Regular float number */
 			    format[0] = '%';
 			    l = 1;
@@ -5016,7 +5016,7 @@ vim_vsnprintf_typval(
 			    format[l + 1] = NUL;
 
 			    str_arg_l = sprintf(tmp, format, f);
-                        }
+			}
 
 			if (remove_trailing_zeroes)
 			{
diff --git a/src/misc1.c b/src/misc1.c
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -2457,7 +2457,7 @@ del_chars(long count, int fixpos)
  * If "fixpos" is TRUE, don't leave the cursor on the NUL after the line.
  * Caller must have prepared for undo.
  *
- * return FAIL for failure, OK otherwise
+ * Return FAIL for failure, OK otherwise.
  */
     int
 del_bytes(
@@ -2476,12 +2476,21 @@ del_bytes(
     oldp = ml_get(lnum);
     oldlen = (int)STRLEN(oldp);
 
-    /*
-     * Can't do anything when the cursor is on the NUL after the line.
-     */
+    /* Can't do anything when the cursor is on the NUL after the line. */
     if (col >= oldlen)
 	return FAIL;
 
+    /* If "count" is zero there is nothing to do. */
+    if (count == 0)
+	return OK;
+
+    /* If "count" is negative the caller must be doing something wrong. */
+    if (count < 1)
+    {
+	IEMSGN("E950: Invalid count for del_bytes(): %ld", count);
+	return FAIL;
+    }
+
 #ifdef FEAT_MBYTE
     /* If 'delcombine' is set and deleting (less than) one character, only
      * delete the last combining character. */
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -772,6 +772,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1468,
+/**/
     1467,
 /**/
     1466,