From 6b949615edac2dd33d5e865be8328561f296b045 Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Mon, 29 Jun 2020 23:18:42 +0200 Subject: [PATCH] patch 8.2.1095: may use pointer after freeing it Problem: May use pointer after freeing it when text properties are used. Solution: Update redo buffer before calling ml_replace(). --- src/spellsuggest.c | 7 ++++--- src/version.c | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/spellsuggest.c b/src/spellsuggest.c index c03233f52..6f9a75698 100644 --- a/src/spellsuggest.c +++ b/src/spellsuggest.c @@ -676,8 +676,6 @@ spell_suggest(int count) mch_memmove(p, line, c); STRCPY(p + c, stp->st_word); STRCAT(p, sug.su_badptr + stp->st_orglen); - ml_replace(curwin->w_cursor.lnum, p, FALSE); - curwin->w_cursor.col = c; // For redo we use a change-word command. ResetRedobuff(); @@ -686,7 +684,10 @@ spell_suggest(int count) stp->st_wordlen + sug.su_badlen - stp->st_orglen); AppendCharToRedobuff(ESC); - // After this "p" may be invalid. + // "p" may be freed here + ml_replace(curwin->w_cursor.lnum, p, FALSE); + curwin->w_cursor.col = c; + changed_bytes(curwin->w_cursor.lnum, c); } } diff --git a/src/version.c b/src/version.c index 83f5c2efe..4406488bb 100644 --- a/src/version.c +++ b/src/version.c @@ -754,6 +754,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1095, /**/ 1094, /**/