From d283e758ea8646d92a53cebb457f16a0ddf49d75 Mon Sep 17 00:00:00 2001
From: ZyX <kp-pav@yandex.ru>
Date: Sun, 6 Sep 2015 05:31:04 +0300
Subject: shada: Fix out-of-bounds array access

It leads to a memory leak as well. May overwrite wms->jumps_size.
---
 src/nvim/shada.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/nvim/shada.c b/src/nvim/shada.c
index 190e5a6cbe..d6a507eb50 100644
--- a/src/nvim/shada.c
+++ b/src/nvim/shada.c
@@ -1209,8 +1209,11 @@ static inline bool marks_equal(const pos_T a, const pos_T b)
     if (i > 0) { \
       if (jl_len == JUMPLISTSIZE) { \
         free_func(jumps[0]); \
+        if (i == JUMPLISTSIZE) { \
+          i = JUMPLISTSIZE - 1; \
+        } \
         memmove(&jumps[0], &jumps[1], sizeof(jumps[1]) * (size_t) i); \
-      } else { \
+      } else if (i != jl_len) { \
         memmove(&jumps[i + 1], &jumps[i], \
                 sizeof(jumps[0]) * (size_t) (jl_len - i)); \
       } \
-- 
cgit