From fb4abc5188cf00b70b9ab7dca7c35e5b6832e38c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@moolenaar.net>
Date: Sun, 16 May 2010 13:24:39 +0000
Subject: [PATCH] [7.2.435] Crash when using bad_char_idx uninitialized.
 (Patrick Texier)

Problem:    Crash when using bad_char_idx uninitialized. (Patrick Texier)

Solution:   Don't use bad_char_idx, reproduce the ++bad argument from bad_char.

Patch 7.2.435 (after 7.2.430)
---
 src/eval.c     | 13 ++++++++-----
 src/ex_cmds.h  |  3 +--
 src/ex_docmd.c |  5 +++--
 src/version.c  |  2 ++
 4 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/src/eval.c b/src/eval.c
index ef9b6d1c..be59f982 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -18309,8 +18309,8 @@ set_cmdarg(eap, oldarg)
 # ifdef FEAT_MBYTE
     if (eap->force_enc != 0)
 	len += (unsigned)STRLEN(eap->cmd + eap->force_enc) + 7;
-    if (eap->bad_char_idx != 0)
-	len += (unsigned)STRLEN(eap->cmd + eap->bad_char_idx) + 7;
+    if (eap->bad_char != 0)
+	len += 7 + 4;  /* " ++bad=" + "keep" or "drop" */
 # endif
 
     newval = alloc(len + 1);
@@ -18334,9 +18334,12 @@ set_cmdarg(eap, oldarg)
     if (eap->force_enc != 0)
 	sprintf((char *)newval + STRLEN(newval), " ++enc=%s",
 					       eap->cmd + eap->force_enc);
-    if (eap->bad_char_idx != 0)
-	sprintf((char *)newval + STRLEN(newval), " ++bad=%s",
-					       eap->cmd + eap->bad_char_idx);
+    if (eap->bad_char == BAD_KEEP)
+	STRCPY(newval + STRLEN(newval), " ++bad=keep");
+    else if (eap->bad_char == BAD_DROP)
+	STRCPY(newval + STRLEN(newval), " ++bad=drop");
+    else if (eap->bad_char != 0)
+	sprintf((char *)newval + STRLEN(newval), " ++bad=%c", eap->bad_char);
 # endif
     vimvars[VV_CMDARG].vv_str = newval;
     return oldval;
diff --git a/src/ex_cmds.h b/src/ex_cmds.h
index eb472975..488feae8 100644
--- a/src/ex_cmds.h
+++ b/src/ex_cmds.h
@@ -1152,8 +1152,7 @@ struct exarg
     int		force_ff;	/* ++ff= argument (index in cmd[]) */
 #ifdef FEAT_MBYTE
     int		force_enc;	/* ++enc= argument (index in cmd[]) */
-    int		bad_char_idx;	/* ++bad= argument (index in cmd[]) */
-    int		bad_char;	/* BAD_KEEP, BAD_DROP or replacement char */
+    int		bad_char;	/* BAD_KEEP, BAD_DROP or replacement byte */
 #endif
 #ifdef FEAT_USR_CMDS
     int		useridx;	/* user command index */
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 748e3bc6..13e26d51 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -4688,6 +4688,7 @@ getargopt(eap)
     char_u	*arg = eap->arg + 2;
     int		*pp = NULL;
 #ifdef FEAT_MBYTE
+    int		bad_char_idx;
     char_u	*p;
 #endif
 
@@ -4739,7 +4740,7 @@ getargopt(eap)
     else if (STRNCMP(arg, "bad", 3) == 0)
     {
 	arg += 3;
-	pp = &eap->bad_char_idx;
+	pp = &bad_char_idx;
     }
 #endif
 
@@ -4770,7 +4771,7 @@ getargopt(eap)
     {
 	/* Check ++bad= argument.  Must be a single-byte character, "keep" or
 	 * "drop". */
-	p = eap->cmd + eap->bad_char_idx;
+	p = eap->cmd + bad_char_idx;
 	if (STRICMP(p, "keep") == 0)
 	    eap->bad_char = BAD_KEEP;
 	else if (STRICMP(p, "drop") == 0)
diff --git a/src/version.c b/src/version.c
index f0cf4e44..84a3a1dd 100644
--- a/src/version.c
+++ b/src/version.c
@@ -682,6 +682,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    435,
+/**/
     434,
 /**/
     433,
-- 
2.11.4.GIT