From 53323784191506ea8e8b11043a4cc5bf14c409ad Mon Sep 17 00:00:00 2001
From: Maxime Coste <frrrwww@gmail.com>
Date: Wed, 30 Mar 2016 19:26:26 +0100
Subject: [PATCH] Fix spaces_to_tabs implementation accessing past end

Fixes #643
---
 src/normal.cc                                                | 5 +++--
 .../643-crash-on-a-@-on-specially-crafted-buffer/cmd         | 1 +
 .../643-crash-on-a-@-on-specially-crafted-buffer/in          | 1 +
 .../643-crash-on-a-@-on-specially-crafted-buffer/out         | 1 +
 4 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 test/regression/643-crash-on-a-@-on-specially-crafted-buffer/cmd
 create mode 100644 test/regression/643-crash-on-a-@-on-specially-crafted-buffer/in
 create mode 100644 test/regression/643-crash-on-a-@-on-specially-crafted-buffer/out

diff --git a/src/normal.cc b/src/normal.cc
index 13ecd9e2..6f461c75 100644
--- a/src/normal.cc
+++ b/src/normal.cc
@@ -1327,14 +1327,15 @@ void spaces_to_tabs(Context& context, NormalParams params)
                 auto spaces_beg = it;
                 auto spaces_end = spaces_beg+1;
                 CharCount col = get_column(buffer, opt_tabstop, spaces_end.coord());
-                while (*spaces_end == ' ' and (col % tabstop) != 0)
+                while (spaces_end != end and
+                       *spaces_end == ' ' and (col % tabstop) != 0)
                 {
                     ++spaces_end;
                     ++col;
                 }
                 if ((col % tabstop) == 0)
                     spaces.push_back({spaces_beg.coord(), (spaces_end-1).coord()});
-                else if (*spaces_end == '\t')
+                else if (spaces_end != end and *spaces_end == '\t')
                     spaces.push_back({spaces_beg.coord(), spaces_end.coord()});
                 it = spaces_end;
             }
diff --git a/test/regression/643-crash-on-a-@-on-specially-crafted-buffer/cmd b/test/regression/643-crash-on-a-@-on-specially-crafted-buffer/cmd
new file mode 100644
index 00000000..c62a19d8
--- /dev/null
+++ b/test/regression/643-crash-on-a-@-on-specially-crafted-buffer/cmd
@@ -0,0 +1 @@
+gg2l<a-@>
diff --git a/test/regression/643-crash-on-a-@-on-specially-crafted-buffer/in b/test/regression/643-crash-on-a-@-on-specially-crafted-buffer/in
new file mode 100644
index 00000000..98d337bf
--- /dev/null
+++ b/test/regression/643-crash-on-a-@-on-specially-crafted-buffer/in
@@ -0,0 +1 @@
+    hello
diff --git a/test/regression/643-crash-on-a-@-on-specially-crafted-buffer/out b/test/regression/643-crash-on-a-@-on-specially-crafted-buffer/out
new file mode 100644
index 00000000..98d337bf
--- /dev/null
+++ b/test/regression/643-crash-on-a-@-on-specially-crafted-buffer/out
@@ -0,0 +1 @@
+    hello