From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 5 Jan 2016 19:46:16 +0000 (+0100)
Subject: patch 7.4.1052
X-Git-Tag: v7.4.1052
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=04bff88df6211f64731bf8f5afa088e94496db16;p=vim

patch 7.4.1052
Problem:    Illegal memory access with weird syntax command. (Dominique Pelle)
Solution:   Check for column past end of line.
---

diff --git a/src/syntax.c b/src/syntax.c
index ae3a88a61..937fbf186 100644
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -3022,6 +3022,8 @@ find_endpos(idx, startpos, m_endpos, hl_endpos, flagsp, end_endpos,
 	    if (r && regmatch.startpos[0].col
 					     <= best_regmatch.startpos[0].col)
 	    {
+		int line_len;
+
 		/* Add offset to skip pattern match */
 		syn_add_end_off(&pos, &regmatch, spp_skip, SPO_ME_OFF, 1);
 
@@ -3031,6 +3033,7 @@ find_endpos(idx, startpos, m_endpos, hl_endpos, flagsp, end_endpos,
 		    break;
 
 		line = ml_get_buf(syn_buf, startpos->lnum, FALSE);
+		line_len = (int)STRLEN(line);
 
 		/* take care of an empty match or negative offset */
 		if (pos.col <= matchcol)
@@ -3040,12 +3043,12 @@ find_endpos(idx, startpos, m_endpos, hl_endpos, flagsp, end_endpos,
 		else
 		    /* Be careful not to jump over the NUL at the end-of-line */
 		    for (matchcol = regmatch.endpos[0].col;
-			    line[matchcol] != NUL && matchcol < pos.col;
+			    matchcol < line_len && matchcol < pos.col;
 								   ++matchcol)
 			;
 
 		/* if the skip pattern includes end-of-line, break here */
-		if (line[matchcol] == NUL)
+		if (matchcol >= line_len)
 		    break;
 
 		continue;	    /* start with first end pattern again */
diff --git a/src/version.c b/src/version.c
index 402fd0ab0..c4771baf6 100644
--- a/src/version.c
+++ b/src/version.c
@@ -741,6 +741,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1052,
 /**/
     1051,
 /**/