From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 13 Aug 2010 14:51:26 +0000 (+0200)
Subject: Fix illegal memory access when using expressions in the command line.
X-Git-Tag: v7.3~16
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=35a3423c6ae785bf739319e1ec416b2de1462a8c;p=vim

Fix illegal memory access when using expressions in the command line.
---

diff --git a/runtime/doc/todo.txt b/runtime/doc/todo.txt
index 56faa6849..dbb5be730 100644
--- a/runtime/doc/todo.txt
+++ b/runtime/doc/todo.txt
@@ -30,8 +30,6 @@ be worked on, but only if you sponsor Vim development.  See |sponsor|.
 							*known-bugs*
 -------------------- Known bugs and current work -----------------------
 
-Patch for crash with cmdline editing functions. (Dominique Pelle, 2010 Aug 12)
-
 Have a close look at :find completion, anything that could be wrong?
 
 Test 73 fails on MS-Windows when compiled with DJGPP and run twice.  How to
diff --git a/src/ex_getln.c b/src/ex_getln.c
index d2925535e..1cf678543 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -2527,7 +2527,10 @@ realloc_cmdbuff(len)
 	ccline.cmdbuff = p;		/* keep the old one */
 	return FAIL;
     }
-    mch_memmove(ccline.cmdbuff, p, (size_t)ccline.cmdlen + 1);
+    /* There isn't always a NUL after the command, but it may need to be
+     * there, thus copy up to the NUL and add a NUL. */
+    mch_memmove(ccline.cmdbuff, p, (size_t)ccline.cmdlen);
+    ccline.cmdbuff[ccline.cmdlen] = NUL;
     vim_free(p);
 
     if (ccline.xpc != NULL