diff options
| author | Sean Dewar <seandewar@users.noreply.github.com> | 2022-02-19 14:22:32 +0000 |
|---|---|---|
| committer | Sean Dewar <seandewar@users.noreply.github.com> | 2022-02-19 15:29:17 +0000 |
| commit | 73cc729dbc156c5882e1db96b35913d4df48c7ba (patch) | |
| tree | 6354a17ef3b1f9bde90ce99d18c53ce700a1cf71 | |
| parent | 9f4401897a860d10df9ce501eddbde725c943e44 (diff) | |
| download | rneovim-73cc729dbc156c5882e1db96b35913d4df48c7ba.tar.gz rneovim-73cc729dbc156c5882e1db96b35913d4df48c7ba.tar.bz2 rneovim-73cc729dbc156c5882e1db96b35913d4df48c7ba.zip | |
vim-patch:8.2.4419: illegal memory access when using 20 highlights
Problem: Illegal memory access when using exactly 20 highlights.
Solution: Add one more item in the array. (Brandon Richardson,
closes vim/vim#9800)
https://github.com/vim/vim/commit/a493b6506b67887a1cc2d1c00a896598c3b2d445
| -rw-r--r-- | src/nvim/buffer.c | 12 | ||||
| -rw-r--r-- | src/nvim/testdir/test_tabline.vim | 11 |
2 files changed, 19 insertions, 4 deletions
diff --git a/src/nvim/buffer.c b/src/nvim/buffer.c index 38b045b31c..aada11bc9e 100644 --- a/src/nvim/buffer.c +++ b/src/nvim/buffer.c @@ -3438,8 +3438,12 @@ int build_stl_str_hl(win_T *wp, char_u *out, size_t outlen, char_u *fmt, int use if (stl_items == NULL) { stl_items = xmalloc(sizeof(stl_item_t) * stl_items_len); stl_groupitems = xmalloc(sizeof(int) * stl_items_len); - stl_hltab = xmalloc(sizeof(stl_hlrec_t) * stl_items_len); - stl_tabtab = xmalloc(sizeof(StlClickRecord) * stl_items_len); + + // Allocate one more, because the last element is used to indicate the + // end of the list. + stl_hltab = xmalloc(sizeof(stl_hlrec_t) * (stl_items_len + 1)); + stl_tabtab = xmalloc(sizeof(StlClickRecord) * (stl_items_len + 1)); + stl_separator_locations = xmalloc(sizeof(int) * stl_items_len); } @@ -3514,8 +3518,8 @@ int build_stl_str_hl(win_T *wp, char_u *out, size_t outlen, char_u *fmt, int use stl_items = xrealloc(stl_items, sizeof(stl_item_t) * new_len); stl_groupitems = xrealloc(stl_groupitems, sizeof(int) * new_len); - stl_hltab = xrealloc(stl_hltab, sizeof(stl_hlrec_t) * new_len); - stl_tabtab = xrealloc(stl_tabtab, sizeof(StlClickRecord) * new_len); + stl_hltab = xrealloc(stl_hltab, sizeof(stl_hlrec_t) * (new_len + 1)); + stl_tabtab = xrealloc(stl_tabtab, sizeof(StlClickRecord) * (new_len + 1)); stl_separator_locations = xrealloc(stl_separator_locations, sizeof(int) * new_len); diff --git a/src/nvim/testdir/test_tabline.vim b/src/nvim/testdir/test_tabline.vim index 117d962d08..3a18206078 100644 --- a/src/nvim/testdir/test_tabline.vim +++ b/src/nvim/testdir/test_tabline.vim @@ -86,6 +86,17 @@ func Test_tabline_empty_group() set tabline= endfunc +" When there are exactly 20 tabline format items (the exact size of the +" initial tabline items array), test that we don't write beyond the size +" of the array. +func Test_tabline_20_format_items_no_overrun() + set showtabline=2 + + let tabline = repeat('%#StatColorHi2#', 20) + let &tabline = tabline + redrawtabline + set showtabline& tabline& +endfunc " vim: shiftwidth=2 sts=2 expandtab |