From 77a6153d28a15874d864dfd07d84f25369790942 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <bram@vim.org>
Date: Mon, 20 May 2013 13:44:29 +0200
Subject: updated for version 7.3.975 Problem:    Crash in regexp parsing.
 Solution:   Correctly compute the end of allocated memory.

---
 src/regexp_nfa.c | 9 +++++++--
 src/version.c    | 2 ++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
index 92292e50..eea17381 100644
--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
@@ -231,14 +231,19 @@ nfa_regcomp_start(expr, re_flags)
     /* A reasonable estimation for size */
     nstate_max = (STRLEN(expr) + 1) * NFA_POSTFIX_MULTIPLIER;
 
-    /* Size for postfix representation of expr */
+    /* Some items blow up in size, such as [A-z].  Add more space for that.
+     * TODO: some patterns may still fail. */
+//    nstate_max += 1000;
+
+    /* Size for postfix representation of expr. */
     postfix_size = sizeof(*post_start) * nstate_max;
+
     post_start = (int *)lalloc(postfix_size, TRUE);
     if (post_start == NULL)
 	return FAIL;
     vim_memset(post_start, 0, postfix_size);
     post_ptr = post_start;
-    post_end = post_start + postfix_size;
+    post_end = post_start + nstate_max;
     nfa_has_zend = FALSE;
 
     regcomp_start(expr, re_flags);
diff --git a/src/version.c b/src/version.c
index 6c6b6509..6f07a041 100644
--- a/src/version.c
+++ b/src/version.c
@@ -728,6 +728,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    975,
 /**/
     974,
 /**/
-- 
cgit v1.2.1