# HG changeset patch
# User Bram Moolenaar <Bram@vim.org>
# Date 1586104236 -7200
# Node ID 6babfd2d15e91b8ea318762f349b5d711282c6f1
# Parent  9ab370ded046d6dd53aa3a8efe9868c31383ca83
patch 8.2.0513: reading past allocate memory when using varargs

Commit: https://github.com/vim/vim/commit/5d905c2b9612314f6d8616560800665056050adc
Author: Bram Moolenaar <Bram@vim.org>
Date:   Sun Apr 5 18:20:45 2020 +0200

    patch 8.2.0513: reading past allocate memory when using varargs

    Problem:    Reading past allocate memory when using varargs.
    Solution:   Fix copying function argument types.

diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -739,6 +739,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    513,
+/**/
     512,
 /**/
     511,
diff --git a/src/vim9compile.c b/src/vim9compile.c
--- a/src/vim9compile.c
+++ b/src/vim9compile.c
@@ -353,7 +353,8 @@ get_func_type(type_T *ret_type, int argc
 }
 
 /*
- * For a function type, reserve space for "argcount" argument types.
+ * For a function type, reserve space for "argcount" argument types (including
+ * vararg).
  */
     static int
 func_type_add_arg_types(
@@ -5823,16 +5824,19 @@ compile_def_function(ufunc_T *ufunc, int
     }
 
     {
-	int argcount = ufunc->uf_args.ga_len
-					 + (ufunc->uf_va_name == NULL ? 0 : 1);
+	int varargs = ufunc->uf_va_name != NULL;
+	int argcount = ufunc->uf_args.ga_len - (varargs ? 1 : 0);
 
 	// Create a type for the function, with the return type and any
 	// argument types.
-	ufunc->uf_func_type = get_func_type(ufunc->uf_ret_type, argcount,
-							 &ufunc->uf_type_list);
-	if (argcount > 0)
+	// A vararg is included in uf_args.ga_len but not in uf_arg_types.
+	// The type is included in "tt_args".
+	ufunc->uf_func_type = get_func_type(ufunc->uf_ret_type,
+				  ufunc->uf_args.ga_len, &ufunc->uf_type_list);
+	if (ufunc->uf_args.ga_len > 0)
 	{
-	    if (func_type_add_arg_types(ufunc->uf_func_type, argcount,
+	    if (func_type_add_arg_types(ufunc->uf_func_type,
+			ufunc->uf_args.ga_len,
 			argcount - ufunc->uf_def_args.ga_len,
 						 &ufunc->uf_type_list) == FAIL)
 	    {
@@ -5850,6 +5854,9 @@ compile_def_function(ufunc_T *ufunc, int
 	    else
 		mch_memmove(ufunc->uf_func_type->tt_args,
 			     ufunc->uf_arg_types, sizeof(type_T *) * argcount);
+	    if (varargs)
+		ufunc->uf_func_type->tt_args[argcount] =
+			ufunc->uf_va_type == NULL ? &t_any : ufunc->uf_va_type;
 	}
     }