From 4420dc3067a776271a94080a4b1b42a1e74bb2dc Mon Sep 17 00:00:00 2001
From: Jan Edmund Lazo <janedmundlazo@hotmail.com>
Date: Thu, 9 Aug 2018 00:51:40 -0400
Subject: vim-patch:8.0.1421: accessing invalid memory with overlong byte
 sequence

Problem:    Accessing invalid memory with overlong byte sequence.
Solution:   Check for NUL character. (test by Dominique Pelle, closes vim/vim#2485)
https://github.com/vim/vim/commit/e6640ad44e2186bd3642b972115496d347cd1fdd
---
 src/nvim/strings.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src/nvim/strings.c')

diff --git a/src/nvim/strings.c b/src/nvim/strings.c
index 3f31914c03..d812aba048 100644
--- a/src/nvim/strings.c
+++ b/src/nvim/strings.c
@@ -344,14 +344,17 @@ char *strcase_save(const char *const orig, bool upper)
 
   char *p = res;
   while (*p != NUL) {
-    int l;
-
     int c = utf_ptr2char((const char_u *)p);
+    int l = utf_ptr2len((const char_u *)p);
+    if (c == 0) {
+      // overlong sequence, use only the first byte
+      c = *p;
+      l = 1;
+    }
     int uc = upper ? mb_toupper(c) : mb_tolower(c);
 
     // Reallocate string when byte count changes.  This is rare,
     // thus it's OK to do another malloc()/free().
-    l = utf_ptr2len((const char_u *)p);
     int newl = utf_char2len(uc);
     if (newl != l) {
       // TODO(philix): use xrealloc() in strup_save()
-- 
cgit