From c390cc13e55b25d85a0684aa1becde881ef8ab19 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 7 Aug 2022 18:09:10 +0100
Subject: [PATCH] patch 9.0.0164: using freed memory with put command

Problem:    Using freed memory with put command.
Solution:   Get byte offset before replacing the line.
---
 src/register.c | 8 +++++---
 src/version.c  | 2 ++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/register.c b/src/register.c
index f34a0ddbb0..2dafeabf5e 100644
--- a/src/register.c
+++ b/src/register.c
@@ -2099,13 +2099,15 @@ do_put(
 			ptr += yanklen;
 		    }
 		    STRMOVE(ptr, oldp + col);
-		    ml_replace(lnum, newp, FALSE);
-
-		    inserted_bytes(lnum, col, totlen);
 
 		    // compute the byte offset for the last character
 		    first_byte_off = mb_head_off(newp, ptr - 1);
 
+		    // Note: this may free "newp"
+		    ml_replace(lnum, newp, FALSE);
+
+		    inserted_bytes(lnum, col, totlen);
+
 		    // Place cursor on last putted char.
 		    if (lnum == curwin->w_cursor.lnum)
 		    {
diff --git a/src/version.c b/src/version.c
index 9207b7f69f..be59f1be2e 100644
--- a/src/version.c
+++ b/src/version.c
@@ -735,6 +735,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    164,
 /**/
     163,
 /**/