# HG changeset patch
# User Bram Moolenaar <Bram@vim.org>
# Date 1639942203 -3600
# Node ID a3f38923c0377e4cefc82953a896709e8f206cee
# Parent  ac5f53e8cf77597f9f4bf7fae1b3f79818487975
patch 8.2.3855: illegal memory access when displaying a blob

Commit: https://github.com/vim/vim/commit/bc404bfb32cf2bef34050d2aeae0ea72ccf980cc
Author: Yegappan Lakshmanan <yegappan@yahoo.com>
Date:   Sun Dec 19 19:19:31 2021 +0000

    patch 8.2.3855: illegal memory access when displaying a blob

    Problem:    Illegal memory access when displaying a blob.
    Solution:   Append a NUL at the end. (Yegappan Lakshmanan, closes https://github.com/vim/vim/issues/9372)

diff --git a/src/blob.c b/src/blob.c
--- a/src/blob.c
+++ b/src/blob.c
@@ -240,6 +240,7 @@ blob2string(blob_T *blob, char_u **tofre
 	vim_snprintf((char *)numbuf, NUMBUFLEN, "%02X", (int)blob_get(blob, i));
 	ga_concat(&ga, numbuf);
     }
+    ga_append(&ga, NUL);		// append a NUL at the end
     *tofree = ga.ga_data;
     return *tofree;
 }
diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
@@ -2917,20 +2917,20 @@ nfa_print_state2(FILE *debugf, nfa_state
 	ga_concat(indent, (char_u *)"| ");
     else
 	ga_concat(indent, (char_u *)"  ");
-    ga_append(indent, '\0');
+    ga_append(indent, NUL);
 
     nfa_print_state2(debugf, state->out, indent);
 
     // replace last part of indent for state->out1
     indent->ga_len -= 3;
     ga_concat(indent, (char_u *)"  ");
-    ga_append(indent, '\0');
+    ga_append(indent, NUL);
 
     nfa_print_state2(debugf, state->out1, indent);
 
     // shrink indent
     indent->ga_len -= 3;
-    ga_append(indent, '\0');
+    ga_append(indent, NUL);
 }
 
 /*
diff --git a/src/testdir/test_blob.vim b/src/testdir/test_blob.vim
--- a/src/testdir/test_blob.vim
+++ b/src/testdir/test_blob.vim
@@ -680,5 +680,12 @@ func Test_list2blob()
   call assert_equal(0z00010203, list2blob(range(4)))
 endfunc
 
+" The following used to cause an out-of-bounds memory access
+func Test_blob2string()
+  let v = '0z' .. repeat('01010101.', 444)
+  let v ..= '01'
+  exe 'let b = ' .. v
+  call assert_equal(v, string(b))
+endfunc
 
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/testdir/test_messages.vim b/src/testdir/test_messages.vim
--- a/src/testdir/test_messages.vim
+++ b/src/testdir/test_messages.vim
@@ -341,7 +341,7 @@ endfunc
 func Test_echo_string_partial()
   function CountSpaces()
   endfunction
-  echomsg function('CountSpaces', [#{aaaaaaaaaaa: v:false, bbbbbbbbbbbb: '', ccccccccccc: ['ab', 'cd']}])
+  call assert_equal("function('CountSpaces', [{'ccccccccccc': ['ab', 'cd'], 'aaaaaaaaaaa': v:false, 'bbbbbbbbbbbb': ''}])", string(function('CountSpaces', [#{aaaaaaaaaaa: v:false, bbbbbbbbbbbb: '', ccccccccccc: ['ab', 'cd']}])))
 endfunc
 
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -750,6 +750,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    3855,
+/**/
     3854,
 /**/
     3853,