patch 7.4.1052

Problem:    Illegal memory access with weird syntax command. (Dominique Pelle)
Solution:   Check for column past end of line.

Author: brammool

src/syntax.c

@@ -3022,6 +3022,8 @@ find_endpos(idx, startpos, m_endpos, hl_endpos, flagsp, end_endpos,
 	    if (r && regmatch.startpos[0].col
 					     <= best_regmatch.startpos[0].col)
 	    {
+		int line_len;
+
 		/* Add offset to skip pattern match */
 		syn_add_end_off(&pos, &regmatch, spp_skip, SPO_ME_OFF, 1);
 
@@ -3031,6 +3033,7 @@ find_endpos(idx, startpos, m_endpos, hl_endpos, flagsp, end_endpos,
 		    break;
 
 		line = ml_get_buf(syn_buf, startpos->lnum, FALSE);
+		line_len = (int)STRLEN(line);
 
 		/* take care of an empty match or negative offset */
 		if (pos.col <= matchcol)
@@ -3040,12 +3043,12 @@ find_endpos(idx, startpos, m_endpos, hl_endpos, flagsp, end_endpos,
 		else
 		    /* Be careful not to jump over the NUL at the end-of-line */
 		    for (matchcol = regmatch.endpos[0].col;
-			    line[matchcol] != NUL && matchcol < pos.col;
+			    matchcol < line_len && matchcol < pos.col;
 								   ++matchcol)
 			;
 
 		/* if the skip pattern includes end-of-line, break here */
-		if (line[matchcol] == NUL)
+		if (matchcol >= line_len)
 		    break;
 
 		continue;	    /* start with first end pattern again */

src/version.c

@@ -741,6 +741,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1052,
 /**/
     1051,
 /**/