--- a/src/ex_cmds2.c
+++ b/src/ex_cmds2.c
@@ -197,9 +197,11 @@ dialog_changed(
 	// restore to empty when write failed
 	if (empty_bufname)
 	{
-	    VIM_CLEAR(buf->b_fname);
+	    // prevent double free
+	    if (buf->b_sfname != buf->b_ffname)
+		VIM_CLEAR(buf->b_sfname);
+	    buf->b_fname = NULL;
 	    VIM_CLEAR(buf->b_ffname);
-	    VIM_CLEAR(buf->b_sfname);
 	    unchanged(buf, TRUE, FALSE);
 	}
     }

new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..e37d18d6daca107697bd19934b34054aa09e48a4
GIT binary patch
literal 552
zc$|HZ!A{gb7=ZsSVA4N<B{3lzPeW6)o32GS;$lijP<BHgK%>z`lOEb_XQfzXmQI(h
zB_W$|Q|}&p0gqgG09c>IH^2vQY{3M*_+2KMf0FsW-;3+@IuRCkT?KsheM9>PYxf3_
zKdV@O^#&P_54@<-*s*MNE}G?)x#?mw9{(6$b6}b#>1NrtU6y5b+qTba+up+U*Bj5*
zZ|@@?Q-P6y0s?@8#+s@sOG}Kgea4(x;&lZ!-L@7lBMo1${9g#LG?KD<f=@b~&S0J>
zuw8H-;*^wAh<J1?j^9}XyD8ED%^nu2<=dpizsv64901W*1zPFa=ccnq$%OwjWP_oH
z4;sRc31pO@;7Dt;tJHN(lZ8VoaB4!1*kc%d$d_?1d1yQ{8&SDjDkI;@-;ma2({(ij
z><Yu6XlP#oGOy&Jf?a6rk>jAC3GsU{vnl$h4~CQoGC31~URzjbO#<y3Do?|7F-$1q
zJs!Wmug4A^BK(q4PG14gVLz7x4;*A4<NxhEs_YzE_MI#{%~p!Sx1k?%!F!46_y44+
c`gL0Fy;6ARqNSvIrGIMYmM=A6G({Nw1{)EhBme*a

--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -196,6 +196,12 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 50)
 
+  let file = 'crash/dialog_changed_uaf'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
   " clean up
   exe buf .. "bw!"
   bw!

--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    648,
+/**/
     647,
 /**/
     646,