From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 8 Jun 2019 15:25:33 +0000 (+0200)
Subject: patch 8.1.1497: accessing memory beyond allocated space
X-Git-Tag: v8.1.1497
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=aef5c62a6fff7654bb8df7b9359e811f7a6e428f;p=vim

patch 8.1.1497: accessing memory beyond allocated space

Problem:    Accessing memory beyond allocated space.
Solution:   Check column before accessing popup mask.
---

diff --git a/src/screen.c b/src/screen.c
index 512560b88..76d9b3c4b 100644
--- a/src/screen.c
+++ b/src/screen.c
@@ -6797,35 +6797,40 @@ screen_line(
     if (clear_width > 0
 #ifdef FEAT_TEXT_PROP
 	    && !(flags & SLF_POPUP)  // no separator for popup window
-	    && popup_mask[row * screen_Columns + col + coloff] <= screen_zindex
 #endif
 	    )
     {
 	// For a window that has a right neighbor, draw the separator char
-	// right of the window contents.
+	// right of the window contents.  But not on top of a popup window.
 	if (coloff + col < Columns)
 	{
-	    int c;
-
-	    c = fillchar_vsep(&hl);
-	    if (ScreenLines[off_to] != (schar_T)c
-		    || (enc_utf8 && (int)ScreenLinesUC[off_to]
-						       != (c >= 0x80 ? c : 0))
-		    || ScreenAttrs[off_to] != hl)
+#ifdef FEAT_TEXT_PROP
+	    if (popup_mask[row * screen_Columns + col + coloff]
+							     <= screen_zindex)
+#endif
 	    {
-		ScreenLines[off_to] = c;
-		ScreenAttrs[off_to] = hl;
-		if (enc_utf8)
+		int c;
+
+		c = fillchar_vsep(&hl);
+		if (ScreenLines[off_to] != (schar_T)c
+			|| (enc_utf8 && (int)ScreenLinesUC[off_to]
+							!= (c >= 0x80 ? c : 0))
+			|| ScreenAttrs[off_to] != hl)
 		{
-		    if (c >= 0x80)
+		    ScreenLines[off_to] = c;
+		    ScreenAttrs[off_to] = hl;
+		    if (enc_utf8)
 		    {
-			ScreenLinesUC[off_to] = c;
-			ScreenLinesC[0][off_to] = 0;
+			if (c >= 0x80)
+			{
+			    ScreenLinesUC[off_to] = c;
+			    ScreenLinesC[0][off_to] = 0;
+			}
+			else
+			    ScreenLinesUC[off_to] = 0;
 		    }
-		    else
-			ScreenLinesUC[off_to] = 0;
+		    screen_char(off_to, row, col + coloff);
 		}
-		screen_char(off_to, row, col + coloff);
 	    }
 	}
 	else
diff --git a/src/version.c b/src/version.c
index 132329f05..8aac5d5f6 100644
--- a/src/version.c
+++ b/src/version.c
@@ -767,6 +767,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1497,
 /**/
     1496,
 /**/