# HG changeset patch
# User Bram Moolenaar <Bram@vim.org>
# Date 1657229402 -7200
# Node ID be069ab9d583c2bd312e5109a5d008bb5652acd0
# Parent  928bf80ce1e86392d146ff6b9ba640c39debaaa7
patch 9.0.0047: using freed memory with recursive substitute

Commit: https://github.com/vim/vim/commit/32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea
Author: Bram Moolenaar <Bram@vim.org>
Date:   Thu Jul 7 22:20:31 2022 +0100

    patch 9.0.0047: using freed memory with recursive substitute

    Problem:    Using freed memory with recursive substitute.
    Solution:   Always make a copy for reg_prev_sub.

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -3994,7 +3994,16 @@ ex_substitute(exarg_T *eap)
 	sub_copy = sub;
     }
     else
-	sub = regtilde(sub, magic_isset());
+    {
+	char_u *newsub = regtilde(sub, magic_isset());
+
+	if (newsub != sub)
+	{
+	    // newsub was allocated, free it later.
+	    sub_copy = newsub;
+	    sub = newsub;
+	}
+    }
 
     /*
      * Check for a match on each line.
diff --git a/src/regexp.c b/src/regexp.c
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1766,11 +1766,11 @@ regtilde(char_u *source, int magic)
 	}
     }
 
+    // Store a copy of newsub  in reg_prev_sub.  It is always allocated,
+    // because recursive calls may make the returned string invalid.
     vim_free(reg_prev_sub);
-    if (newsub != source)	// newsub was allocated, just keep it
-	reg_prev_sub = newsub;
-    else			// no ~ found, need to save newsub
-	reg_prev_sub = vim_strsave(newsub);
+    reg_prev_sub = vim_strsave(newsub);
+
     return newsub;
 }
 
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -1114,4 +1114,15 @@ func Test_using_two_engines_pattern()
   bwipe!
 endfunc
 
+func Test_recursive_substitute_expr()
+  new
+  func Repl()
+    s
+  endfunc
+  silent! s/\%')/~\=Repl()
+
+  bwipe!
+  delfunc Repl
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -736,6 +736,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    47,
+/**/
     46,
 /**/
     45,