From a493b6506b67887a1cc2d1c00a896598c3b2d445 Mon Sep 17 00:00:00 2001
From: Brandon Richardson <brandon.richardson@siemens.com>
Date: Sat, 19 Feb 2022 11:45:03 +0000
Subject: patch 8.2.4419: illegal memory access when using 20 highlights

Problem:    Illegal memory access when using exactly 20 highlights.
Solution:   Add one more item in the array. (Brandon Richardson,
            closes #9800)
---
 src/buffer.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'src/buffer.c')

diff --git a/src/buffer.c b/src/buffer.c
index bb9c77367..27e864387 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -4170,8 +4170,11 @@ build_stl_str_hl(
     {
 	stl_items = ALLOC_MULT(stl_item_T, stl_items_len);
 	stl_groupitem = ALLOC_MULT(int, stl_items_len);
-	stl_hltab  = ALLOC_MULT(stl_hlrec_T, stl_items_len);
-	stl_tabtab = ALLOC_MULT(stl_hlrec_T, stl_items_len);
+
+	// Allocate one more, because the last element is used to indicate the
+	// end of the list.
+	stl_hltab  = ALLOC_MULT(stl_hlrec_T, stl_items_len + 1);
+	stl_tabtab = ALLOC_MULT(stl_hlrec_T, stl_items_len + 1);
     }
 
 #ifdef FEAT_EVAL
@@ -4251,11 +4254,13 @@ build_stl_str_hl(
 	    if (new_groupitem == NULL)
 		break;
 	    stl_groupitem = new_groupitem;
-	    new_hlrec = vim_realloc(stl_hltab, sizeof(stl_hlrec_T) * new_len);
+	    new_hlrec = vim_realloc(stl_hltab,
+					  sizeof(stl_hlrec_T) * (new_len + 1));
 	    if (new_hlrec == NULL)
 		break;
 	    stl_hltab = new_hlrec;
-	    new_hlrec = vim_realloc(stl_tabtab, sizeof(stl_hlrec_T) * new_len);
+	    new_hlrec = vim_realloc(stl_tabtab,
+					  sizeof(stl_hlrec_T) * (new_len + 1));
 	    if (new_hlrec == NULL)
 		break;
 	    stl_tabtab = new_hlrec;
-- 
cgit v1.2.1