From 73cc729dbc156c5882e1db96b35913d4df48c7ba Mon Sep 17 00:00:00 2001
From: Sean Dewar <seandewar@users.noreply.github.com>
Date: Sat, 19 Feb 2022 14:22:32 +0000
Subject: vim-patch:8.2.4419: illegal memory access when using 20 highlights

Problem:    Illegal memory access when using exactly 20 highlights.
Solution:   Add one more item in the array. (Brandon Richardson,
            closes vim/vim#9800)
https://github.com/vim/vim/commit/a493b6506b67887a1cc2d1c00a896598c3b2d445
---
 src/nvim/buffer.c                 | 12 ++++++++----
 src/nvim/testdir/test_tabline.vim | 11 +++++++++++
 2 files changed, 19 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/nvim/buffer.c b/src/nvim/buffer.c
index 38b045b31c..aada11bc9e 100644
--- a/src/nvim/buffer.c
+++ b/src/nvim/buffer.c
@@ -3438,8 +3438,12 @@ int build_stl_str_hl(win_T *wp, char_u *out, size_t outlen, char_u *fmt, int use
   if (stl_items == NULL) {
     stl_items = xmalloc(sizeof(stl_item_t) * stl_items_len);
     stl_groupitems = xmalloc(sizeof(int) * stl_items_len);
-    stl_hltab  = xmalloc(sizeof(stl_hlrec_t) * stl_items_len);
-    stl_tabtab = xmalloc(sizeof(StlClickRecord) * stl_items_len);
+
+    // Allocate one more, because the last element is used to indicate the
+    // end of the list.
+    stl_hltab  = xmalloc(sizeof(stl_hlrec_t) * (stl_items_len + 1));
+    stl_tabtab = xmalloc(sizeof(StlClickRecord) * (stl_items_len + 1));
+
     stl_separator_locations = xmalloc(sizeof(int) * stl_items_len);
   }
 
@@ -3514,8 +3518,8 @@ int build_stl_str_hl(win_T *wp, char_u *out, size_t outlen, char_u *fmt, int use
 
       stl_items = xrealloc(stl_items, sizeof(stl_item_t) * new_len);
       stl_groupitems = xrealloc(stl_groupitems, sizeof(int) * new_len);
-      stl_hltab = xrealloc(stl_hltab, sizeof(stl_hlrec_t) * new_len);
-      stl_tabtab = xrealloc(stl_tabtab, sizeof(StlClickRecord) * new_len);
+      stl_hltab = xrealloc(stl_hltab, sizeof(stl_hlrec_t) * (new_len + 1));
+      stl_tabtab = xrealloc(stl_tabtab, sizeof(StlClickRecord) * (new_len + 1));
       stl_separator_locations =
         xrealloc(stl_separator_locations, sizeof(int) * new_len);
 
diff --git a/src/nvim/testdir/test_tabline.vim b/src/nvim/testdir/test_tabline.vim
index 117d962d08..3a18206078 100644
--- a/src/nvim/testdir/test_tabline.vim
+++ b/src/nvim/testdir/test_tabline.vim
@@ -86,6 +86,17 @@ func Test_tabline_empty_group()
   set tabline=
 endfunc
 
+" When there are exactly 20 tabline format items (the exact size of the
+" initial tabline items array), test that we don't write beyond the size
+" of the array.
+func Test_tabline_20_format_items_no_overrun()
+  set showtabline=2
+
+  let tabline = repeat('%#StatColorHi2#', 20)
+  let &tabline = tabline
+  redrawtabline
 
+  set showtabline& tabline&
+endfunc
 
 " vim: shiftwidth=2 sts=2 expandtab
-- 
cgit