# HG changeset patch
# User Bram Moolenaar <bram@vim.org>
# Date 1369050269 -7200
# Node ID 44b89b025cdfb6a7371a036ef1b2dd93670b2a15
# Parent  f995990e6d46bb45ef2a4d03b9688f58713595dd
updated for version 7.3.975
Problem:    Crash in regexp parsing.
Solution:   Correctly compute the end of allocated memory.

diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
@@ -231,14 +231,19 @@ nfa_regcomp_start(expr, re_flags)
     /* A reasonable estimation for size */
     nstate_max = (STRLEN(expr) + 1) * NFA_POSTFIX_MULTIPLIER;
 
-    /* Size for postfix representation of expr */
+    /* Some items blow up in size, such as [A-z].  Add more space for that.
+     * TODO: some patterns may still fail. */
+//    nstate_max += 1000;
+
+    /* Size for postfix representation of expr. */
     postfix_size = sizeof(*post_start) * nstate_max;
+
     post_start = (int *)lalloc(postfix_size, TRUE);
     if (post_start == NULL)
 	return FAIL;
     vim_memset(post_start, 0, postfix_size);
     post_ptr = post_start;
-    post_end = post_start + postfix_size;
+    post_end = post_start + nstate_max;
     nfa_has_zend = FALSE;
 
     regcomp_start(expr, re_flags);
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    975,
+/**/
     974,
 /**/
     973,