From 35a3423c6ae785bf739319e1ec416b2de1462a8c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 13 Aug 2010 16:51:26 +0200
Subject: [PATCH] Fix illegal memory access when using expressions in the
 command line.

---
 runtime/doc/todo.txt | 2 --
 src/ex_getln.c       | 5 ++++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/runtime/doc/todo.txt b/runtime/doc/todo.txt
index 56faa68493..dbb5be7309 100644
--- a/runtime/doc/todo.txt
+++ b/runtime/doc/todo.txt
@@ -30,8 +30,6 @@ be worked on, but only if you sponsor Vim development.  See |sponsor|.
 							*known-bugs*
 -------------------- Known bugs and current work -----------------------
 
-Patch for crash with cmdline editing functions. (Dominique Pelle, 2010 Aug 12)
-
 Have a close look at :find completion, anything that could be wrong?
 
 Test 73 fails on MS-Windows when compiled with DJGPP and run twice.  How to
diff --git a/src/ex_getln.c b/src/ex_getln.c
index d2925535e4..1cf6785437 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -2527,7 +2527,10 @@ realloc_cmdbuff(len)
 	ccline.cmdbuff = p;		/* keep the old one */
 	return FAIL;
     }
-    mch_memmove(ccline.cmdbuff, p, (size_t)ccline.cmdlen + 1);
+    /* There isn't always a NUL after the command, but it may need to be
+     * there, thus copy up to the NUL and add a NUL. */
+    mch_memmove(ccline.cmdbuff, p, (size_t)ccline.cmdlen);
+    ccline.cmdbuff[ccline.cmdlen] = NUL;
     vim_free(p);
 
     if (ccline.xpc != NULL
-- 
GitLab