# HG changeset patch
# User Bram Moolenaar <Bram@vim.org>
# Date 1573335004 -3600
# Node ID 23fef64352a14b6f0c2e7f0e7ef044d06e4c3d87
# Parent  e268594d460aab3bee01a3ae5239019e6fb7812d
patch 8.1.2280: crash when passing partial to substitute()

Commit: https://github.com/vim/vim/commit/b0745b221d284e381f1bd4b591cd68ea54b6a51d
Author: Bram Moolenaar <Bram@vim.org>
Date:   Sat Nov 9 22:28:11 2019 +0100

    patch 8.1.2280: crash when passing partial to substitute()

    Problem:    Crash when passing partial to substitute().
    Solution:   Take extra arguments into account. (closes https://github.com/vim/vim/issues/5186)

diff --git a/src/proto/regexp.pro b/src/proto/regexp.pro
--- a/src/proto/regexp.pro
+++ b/src/proto/regexp.pro
@@ -1,8 +1,6 @@
 /* regexp.c */
 int re_multiline(regprog_T *prog);
 char_u *skip_regexp(char_u *startp, int dirc, int magic, char_u **newp);
-int vim_regcomp_had_eol(void);
-void free_regexp_stuff(void);
 reg_extmatch_T *ref_extmatch(reg_extmatch_T *em);
 void unref_extmatch(reg_extmatch_T *em);
 char_u *regtilde(char_u *source, int magic);
@@ -10,8 +8,10 @@ int vim_regsub(regmatch_T *rmp, char_u *
 int vim_regsub_multi(regmmatch_T *rmp, linenr_T lnum, char_u *source, char_u *dest, int copy, int magic, int backslash);
 char_u *reg_submatch(int no);
 list_T *reg_submatch_list(int no);
+int vim_regcomp_had_eol(void);
 regprog_T *vim_regcomp(char_u *expr_arg, int re_flags);
 void vim_regfree(regprog_T *prog);
+void free_regexp_stuff(void);
 int regprog_in_use(regprog_T *prog);
 int vim_regexec_prog(regprog_T **prog, int ignore_case, char_u *line, colnr_T col);
 int vim_regexec(regmatch_T *rmp, char_u *line, colnr_T col);
diff --git a/src/regexp.c b/src/regexp.c
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1784,25 +1784,26 @@ static regsubmatch_T rsm;  /* can only b
 #ifdef FEAT_EVAL
 
 /*
- * Put the submatches in "argv[0]" which is a list passed into call_func() by
- * vim_regsub_both().
+ * Put the submatches in "argv[argskip]" which is a list passed into
+ * call_func() by vim_regsub_both().
  */
     static int
-fill_submatch_list(int argc UNUSED, typval_T *argv, int argcount)
+fill_submatch_list(int argc UNUSED, typval_T *argv, int argskip, int argcount)
 {
     listitem_T	*li;
     int		i;
     char_u	*s;
+    typval_T	*listarg = argv + argskip;
 
-    if (argcount == 0)
-	/* called function doesn't take an argument */
-	return 0;
+    if (argcount == argskip)
+	// called function doesn't take a submatches argument
+	return argskip;
 
-    /* Relies on sl_list to be the first item in staticList10_T. */
-    init_static_list((staticList10_T *)(argv->vval.v_list));
+    // Relies on sl_list to be the first item in staticList10_T.
+    init_static_list((staticList10_T *)(listarg->vval.v_list));
 
-    /* There are always 10 list items in staticList10_T. */
-    li = argv->vval.v_list->lv_first;
+    // There are always 10 list items in staticList10_T.
+    li = listarg->vval.v_list->lv_first;
     for (i = 0; i < 10; ++i)
     {
 	s = rsm.sm_match->startp[i];
@@ -1814,7 +1815,7 @@ fill_submatch_list(int argc UNUSED, typv
 	li->li_tv.vval.v_string = s;
 	li = li->li_next;
     }
-    return 1;
+    return argskip + 1;
 }
 
     static void
diff --git a/src/structs.h b/src/structs.h
--- a/src/structs.h
+++ b/src/structs.h
@@ -1627,10 +1627,11 @@ typedef struct
 //
 // "argv_func", when not NULL, can be used to fill in arguments only when the
 // invoked function uses them.  It is called like this:
-//   new_argcount = argv_func(current_argcount, argv, called_func_argcount)
+//   new_argcount = argv_func(current_argcount, argv, partial_argcount,
+//							called_func_argcount)
 //
 typedef struct {
-    int		(* argv_func)(int, typval_T *, int);
+    int		(* argv_func)(int, typval_T *, int, int);
     linenr_T	firstline;	// first line of range
     linenr_T	lastline;	// last line of range
     int		*doesrange;	// if not NULL: return: function handled range
diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
@@ -405,6 +405,14 @@ func Test_sub_replace_10()
    call assert_equal('1aaa', substitute('123', '1\zs\|[23]', 'a', 'g'))
 endfunc
 
+func SubReplacer(text, submatches)
+  return a:text .. a:submatches[0] .. a:text
+endfunc
+
+func Test_substitute_partial()
+   call assert_equal('1foo2foo3', substitute('123', '2', function('SubReplacer', ['foo']), 'g'))
+endfunc
+
 " Tests for *sub-replace-special* and *sub-replace-expression* on :substitute.
 
 " Execute a list of :substitute command tests
diff --git a/src/userfunc.c b/src/userfunc.c
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -1588,7 +1588,8 @@ call_func(
 	    else if (fp != NULL)
 	    {
 		if (funcexe->argv_func != NULL)
-		    argcount = funcexe->argv_func(argcount, argvars,
+		    // postponed filling in the arguments, do it now
+		    argcount = funcexe->argv_func(argcount, argvars, argv_clear,
 							   fp->uf_args.ga_len);
 
 		if (funcexe->basetv != NULL)
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -742,6 +742,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    2280,
+/**/
     2279,
 /**/
     2278,