patch 9.1.0647: [security] use-after-free in tagstack_clear_entry

Problem:  [security] use-after-free in tagstack_clear_entry
          (Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
          entries, let's use tagstack_clear_entry(), which will
          also free the stack, but using the VIM_CLEAR macro,
          which prevents a use-after-free by setting those pointers
          to NULL

This addresses CVE-2024-41957

Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4

Signed-off-by: Christian Brabandt <cb@256bit.org>

src/testdir/test_crash.vim

@@ -190,6 +190,12 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 150)
 
+  let file = 'crash/double_free'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 50)
+
   " clean up
   exe buf .. "bw!"
   bw!

src/version.c

@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    647,
 /**/
     646,
 /**/

src/window.c

@@ -5837,10 +5837,7 @@ win_free(
     win_free_lsize(wp);
 
     for (i = 0; i < wp->w_tagstacklen; ++i)
-    {
-	vim_free(wp->w_tagstack[i].tagname);
-	vim_free(wp->w_tagstack[i].user_data);
-    }
+	tagstack_clear_entry(&wp->w_tagstack[i]);
     vim_free(wp->w_localdir);
     vim_free(wp->w_prevdir);