# HG changeset patch # User Christian Brabandt # Date 1452024005 -3600 # Node ID ef568437e49aa10cf05e4ad52d6867238d02653d # Parent 0f3b316a0db5fecc3f4a894772206ae96a77ae22 commit https://github.com/vim/vim/commit/04bff88df6211f64731bf8f5afa088e94496db16 Author: Bram Moolenaar Date: Tue Jan 5 20:46:16 2016 +0100 patch 7.4.1052 Problem: Illegal memory access with weird syntax command. (Dominique Pelle) Solution: Check for column past end of line. diff --git a/src/syntax.c b/src/syntax.c --- a/src/syntax.c +++ b/src/syntax.c @@ -3022,6 +3022,8 @@ find_endpos(idx, startpos, m_endpos, hl_ if (r && regmatch.startpos[0].col <= best_regmatch.startpos[0].col) { + int line_len; + /* Add offset to skip pattern match */ syn_add_end_off(&pos, ®match, spp_skip, SPO_ME_OFF, 1); @@ -3031,6 +3033,7 @@ find_endpos(idx, startpos, m_endpos, hl_ break; line = ml_get_buf(syn_buf, startpos->lnum, FALSE); + line_len = (int)STRLEN(line); /* take care of an empty match or negative offset */ if (pos.col <= matchcol) @@ -3040,12 +3043,12 @@ find_endpos(idx, startpos, m_endpos, hl_ else /* Be careful not to jump over the NUL at the end-of-line */ for (matchcol = regmatch.endpos[0].col; - line[matchcol] != NUL && matchcol < pos.col; + matchcol < line_len && matchcol < pos.col; ++matchcol) ; /* if the skip pattern includes end-of-line, break here */ - if (line[matchcol] == NUL) + if (matchcol >= line_len) break; continue; /* start with first end pattern again */ diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -742,6 +742,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1052, +/**/ 1051, /**/ 1050,