patch 8.1.0404: accessing invalid memory with long argument name

Problem:    Accessing invalid memory with long argument name.
Solution:   Use item_count instead of checking for a terminating NULL.
            (Dominique Pelle, closes #3444)

diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim
index a6c71c9f5f4d80014501085e78faf156cd90b5ea..c558aab7d56b1d3ff9892e291f5350ed032368ba 100644 (file)
--- a/src/testdir/test_arglist.vim
+++ b/src/testdir/test_arglist.vim
@@ -411,3 +411,10 @@ func Test_arg_all_expand()
   call assert_equal('notexist Xx\ x runtest.vim', expand('##'))
   call delete('Xx x')
 endfunc
+
+func Test_large_arg()
+  " Argument longer or equal to the number of columns used to cause
+  " access to invalid memory.
+  exe 'argadd ' .repeat('x', &columns)
+  args
+endfunc

diff --git a/src/version.c b/src/version.c
index 30b79de151893f6b05daf7e3f52239d6716897aa..ec76b99de42be8971b996a24b68f038a695335ff 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -794,6 +794,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    404,
 /**/
     403,
 /**/
@@ -1725,7 +1727,7 @@ list_in_columns(char_u **items, int size, int current)
     if (Columns < width)
     {
        /* Not enough screen columns - show one per line */
-       for (i = 0; items[i] != NULL; ++i)
+       for (i = 0; i < item_count; ++i)
        {
            version_msg_wrap(items[i], i == current);
            if (msg_col > 0)