diff options
| author | ZyX <kp-pav@yandex.ru> | 2015-08-13 23:31:14 +0300 |
|---|---|---|
| committer | ZyX <kp-pav@yandex.ru> | 2015-10-08 22:00:41 +0300 |
| commit | 689390210a03aef00b627327dc8ce8723f2ecb4d (patch) | |
| tree | b7e8e4de40cb71d1a7a7237706d105d888cb6416 /src | |
| parent | 1a348f8ed82bce1d7fb56c907c7508e10914299f (diff) | |
| download | rneovim-689390210a03aef00b627327dc8ce8723f2ecb4d.tar.gz rneovim-689390210a03aef00b627327dc8ce8723f2ecb4d.tar.bz2 rneovim-689390210a03aef00b627327dc8ce8723f2ecb4d.zip | |
mark: Fix out-of-bounds array access when iterating over global marks
Diffstat (limited to 'src')
| -rw-r--r-- | src/nvim/mark.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/nvim/mark.c b/src/nvim/mark.c index 6ab0403e30..38495079e3 100644 --- a/src/nvim/mark.c +++ b/src/nvim/mark.c @@ -1203,12 +1203,14 @@ const void *mark_global_iter(const void *const iter, char *const name, const xfmark_T *iter_mark = (iter == NULL ? &(namedfm[0]) : (const xfmark_T *const) iter); - while (!iter_mark->fmark.mark.lnum - && (size_t) (iter_mark - &(namedfm[0])) < ARRAY_SIZE(namedfm)) { + while ((size_t) (iter_mark - &(namedfm[0])) < ARRAY_SIZE(namedfm) + && !iter_mark->fmark.mark.lnum) { iter_mark++; } - if (!iter_mark->fmark.mark.lnum) { - *fm = (xfmark_T) {.fmark = {.mark = {.lnum = 0}}}; + if ((size_t) (iter_mark - &(namedfm[0])) == ARRAY_SIZE(namedfm) + || !iter_mark->fmark.mark.lnum) { + *fm = (xfmark_T) { .fmark = { .mark = { .lnum = 0 } } }; + return NULL; } size_t iter_off = (size_t) (iter_mark - &(namedfm[0])); *name = (char) (iter_off < NMARKS |