shada: Fix out-of-bounds array access

It leads to a memory leak as well. May overwrite wms->jumps_size.
author: ZyX <kp-pav@yandex.ru> 2015-09-06 05:31:04 +0300
committer: ZyX <kp-pav@yandex.ru> 2015-10-08 22:01:07 +0300
commit: d283e758ea8646d92a53cebb457f16a0ddf49d75 (patch)
tree: b3a7295498ad81f2a5cb059191c4ba581fd39e8a /src
parent: 690d280fa8d7fd98969fa3fc5bae09a2cd928da6 (diff)
download: rneovim-d283e758ea8646d92a53cebb457f16a0ddf49d75.tar.gz
rneovim-d283e758ea8646d92a53cebb457f16a0ddf49d75.tar.bz2
rneovim-d283e758ea8646d92a53cebb457f16a0ddf49d75.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/src/nvim/shada.c b/src/nvim/shada.c
index 190e5a6cbe..d6a507eb50 100644
--- a/src/nvim/shada.c
+++ b/src/nvim/shada.c
@@ -1209,8 +1209,11 @@ static inline bool marks_equal(const pos_T a, const pos_T b)
     if (i > 0) { \
       if (jl_len == JUMPLISTSIZE) { \
         free_func(jumps[0]); \
+        if (i == JUMPLISTSIZE) { \
+          i = JUMPLISTSIZE - 1; \
+        } \
         memmove(&jumps[0], &jumps[1], sizeof(jumps[1]) * (size_t) i); \
-      } else { \
+      } else if (i != jl_len) { \
         memmove(&jumps[i + 1], &jumps[i], \
                 sizeof(jumps[0]) * (size_t) (jl_len - i)); \
       } \
author	ZyX <kp-pav@yandex.ru>	2015-09-06 05:31:04 +0300
committer	ZyX <kp-pav@yandex.ru>	2015-10-08 22:01:07 +0300
commit	d283e758ea8646d92a53cebb457f16a0ddf49d75 (patch)
tree	b3a7295498ad81f2a5cb059191c4ba581fd39e8a /src
parent	690d280fa8d7fd98969fa3fc5bae09a2cd928da6 (diff)
download	rneovim-d283e758ea8646d92a53cebb457f16a0ddf49d75.tar.gz rneovim-d283e758ea8646d92a53cebb457f16a0ddf49d75.tar.bz2 rneovim-d283e758ea8646d92a53cebb457f16a0ddf49d75.zip