From 689390210a03aef00b627327dc8ce8723f2ecb4d Mon Sep 17 00:00:00 2001
From: ZyX <kp-pav@yandex.ru>
Date: Thu, 13 Aug 2015 23:31:14 +0300
Subject: mark: Fix out-of-bounds array access when iterating over global marks

---
 src/nvim/mark.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/nvim/mark.c b/src/nvim/mark.c
index 6ab0403e30..38495079e3 100644
--- a/src/nvim/mark.c
+++ b/src/nvim/mark.c
@@ -1203,12 +1203,14 @@ const void *mark_global_iter(const void *const iter, char *const name,
   const xfmark_T *iter_mark = (iter == NULL
                                ? &(namedfm[0])
                                : (const xfmark_T *const) iter);
-  while (!iter_mark->fmark.mark.lnum
-         && (size_t) (iter_mark - &(namedfm[0])) < ARRAY_SIZE(namedfm)) {
+  while ((size_t) (iter_mark - &(namedfm[0])) < ARRAY_SIZE(namedfm)
+         && !iter_mark->fmark.mark.lnum) {
     iter_mark++;
   }
-  if (!iter_mark->fmark.mark.lnum) {
-    *fm = (xfmark_T) {.fmark = {.mark = {.lnum = 0}}};
+  if ((size_t) (iter_mark - &(namedfm[0])) == ARRAY_SIZE(namedfm)
+      || !iter_mark->fmark.mark.lnum) {
+    *fm = (xfmark_T) { .fmark = { .mark = { .lnum = 0 } } };
+    return NULL;
   }
   size_t iter_off = (size_t) (iter_mark - &(namedfm[0]));
   *name = (char) (iter_off < NMARKS
-- 
cgit