patch 8.0.1433: illegal memory access after undo

Problem:    Illegal memory access after undo. (Dominique Pelle)
Solution:   Avoid the column becomes negative. (Christian Brabandt,
            closes #2533)

diff --git a/src/mbyte.c b/src/mbyte.c
index 742c220df9534d2dfcfc7950fcb175009cca1830..5ed321ed221306dc2c0c84069ee5d519ff117a80 100644 (file)
--- a/src/mbyte.c
+++ b/src/mbyte.c
@@ -1784,6 +1784,7 @@ dbcs_ptr2char(char_u *p)
  * Convert a UTF-8 byte sequence to a wide character.
  * If the sequence is illegal or truncated by a NUL the first byte is
  * returned.
+ * For an overlong sequence this may return zero.
  * Does not include composing characters, of course.
  */
     int
@@ -4112,7 +4113,10 @@ mb_adjustpos(buf_T *buf, pos_T *lp)
            )
     {
        p = ml_get_buf(buf, lp->lnum, FALSE);
-       lp->col -= (*mb_head_off)(p, p + lp->col);
+       if (*p == NUL || (int)STRLEN(p) < lp->col)
+           lp->col = 0;
+       else
+           lp->col -= (*mb_head_off)(p, p + lp->col);
 #ifdef FEAT_VIRTUALEDIT
        /* Reset "coladd" when the cursor would be on the right half of a
         * double-wide character. */

diff --git a/src/testdir/test_undo.vim b/src/testdir/test_undo.vim
index 30164a6df4b86498f05beb461143a6ac61ee65d6..b7235867b9030e88227ab42ced4f5fd10c8bafff 100644 (file)
--- a/src/testdir/test_undo.vim
+++ b/src/testdir/test_undo.vim
@@ -350,3 +350,12 @@ func Test_cmd_in_reg_undo()
   only!
   let @a=''
 endfunc
+
+" This used to cause an illegal memory access
+func Test_undo_append()
+  new
+  call feedkeys("axx\<Esc>v", 'xt')
+  undo
+  norm o
+  quit
+endfunc

diff --git a/src/version.c b/src/version.c
index 2a3460edce1a7066f04e34162bf8e76c41acef72..6ebb01a39653273d063d6c963f9456ca144c8425 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -771,6 +771,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1433,
 /**/
     1432,
 /**/