patch 8.2.4419: illegal memory access when using 20 highlights

author Brandon Richardson <brandon.richardson@siemens.com>

Sat, 19 Feb 2022 11:45:03 +0000 (11:45 +0000)

committer Bram Moolenaar <Bram@vim.org>

Sat, 19 Feb 2022 11:45:03 +0000 (11:45 +0000)
author Brandon Richardson <brandon.richardson@siemens.com>
Sat, 19 Feb 2022 11:45:03 +0000 (11:45 +0000)
committer Bram Moolenaar <Bram@vim.org>
Sat, 19 Feb 2022 11:45:03 +0000 (11:45 +0000)
diff --git a/src/buffer.c b/src/buffer.c

index bb9c773679d4359c0f28f13190ae1722fbdc5c36..27e8643870d697f1d73f396ea31e069acaaefb82 100644 (file)
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -4170,8 +4170,11 @@ build_stl_str_hl(
      {
         stl_items = ALLOC_MULT(stl_item_T, stl_items_len);
         stl_groupitem = ALLOC_MULT(int, stl_items_len);
-       stl_hltab  = ALLOC_MULT(stl_hlrec_T, stl_items_len);
-       stl_tabtab = ALLOC_MULT(stl_hlrec_T, stl_items_len);
+
+       // Allocate one more, because the last element is used to indicate the
+       // end of the list.
+       stl_hltab  = ALLOC_MULT(stl_hlrec_T, stl_items_len + 1);
+       stl_tabtab = ALLOC_MULT(stl_hlrec_T, stl_items_len + 1);
      }
  
  #ifdef FEAT_EVAL
@@ -4251,11 +4254,13 @@ build_stl_str_hl(
             if (new_groupitem == NULL)
                 break;
             stl_groupitem = new_groupitem;
-           new_hlrec = vim_realloc(stl_hltab, sizeof(stl_hlrec_T) * new_len);
+           new_hlrec = vim_realloc(stl_hltab,
+                                         sizeof(stl_hlrec_T) * (new_len + 1));
             if (new_hlrec == NULL)
                 break;
             stl_hltab = new_hlrec;
-           new_hlrec = vim_realloc(stl_tabtab, sizeof(stl_hlrec_T) * new_len);
+           new_hlrec = vim_realloc(stl_tabtab,
+                                         sizeof(stl_hlrec_T) * (new_len + 1));
             if (new_hlrec == NULL)
                 break;
             stl_tabtab = new_hlrec;
diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim

index 5560a2122f83c57da50331af7d01fdbbf1832501..e58a412c5a34e92a9386fb790acac026a11977b7 100644 (file)
--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
@@ -134,6 +134,17 @@ func Test_tabline_empty_group()
    set tabline=
  endfunc
  
+" When there are exactly 20 tabline format items (the exact size of the
+" initial tabline items array), test that we don't write beyond the size
+" of the array.
+func Test_tabline_20_format_items_no_overrun()
+  set showtabline=2
  
+  let tabline = repeat('%#StatColorHi2#', 20)
+  let &tabline = tabline
+  redrawtabline
+
+  set showtabline& tabline&
+endfunc
  
  " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c

index 5cb7218706ce4aa4d68ac2a1e762b24449400316..eaf29a440098c69201998561d56ab1f18a225da6 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -750,6 +750,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    4419,
  /**/
      4418,
  /**/
author	Brandon Richardson <brandon.richardson@siemens.com>
	Sat, 19 Feb 2022 11:45:03 +0000 (11:45 +0000)
committer	Bram Moolenaar <Bram@vim.org>
	Sat, 19 Feb 2022 11:45:03 +0000 (11:45 +0000)
src/buffer.c		patch \| blob \| blame \| history
src/testdir/test_tabline.vim		patch \| blob \| blame \| history
src/version.c		patch \| blob \| blame \| history