patch 9.0.0046: reading past end of completion with duplicate match

Problem:    Reading past end of completion with duplicate match.
Solution:   Check string length

diff --git a/src/insexpand.c b/src/insexpand.c
index 0ecb6560c5fc32a5578db520fb3e036ddf316018..9c598a89f73dc2bf0965399182033be9107cf94f 100644 (file)
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -786,7 +786,8 @@ ins_compl_add(
        {
            if (!match_at_original_text(match)
                    && STRNCMP(match->cp_str, str, len) == 0
-                   && match->cp_str[len] == NUL)
+                   && ((int)STRLEN(match->cp_str) <= len
+                                                || match->cp_str[len] == NUL))
                return NOTDONE;
            match = match->cp_next;
        } while (match != NULL && !is_first_match(match));

diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 5e5b1bbece681fa888132d713ebc3111eb98686e..2be6d0602037404cfda1e8937b29d9035a8b2174 100644 (file)
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -2112,5 +2112,15 @@ func Test_infercase_very_long_line()
   set noic noinfercase
 endfunc
 
+func Test_ins_complete_add()
+  " this was reading past the end of allocated memory
+  new
+  norm o\7f
+  norm 7o\80\80
+  sil! norm o\10\18\10\18\10
+
+  bwipe!
+endfunc
+
 
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 75de2fc7b75145f03b7637133a9cb0557bdeaa6b..de8e968f42f8c92718498c1751c2a1512e3e4b03 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -735,6 +735,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    46,
 /**/
     45,
 /**/