# HG changeset patch
# User Bram Moolenaar <Bram@vim.org>
# Date 1593456304 -7200
# Node ID 87e85a13e9cf6a7378dba7f632a9683e907da1ca
# Parent  bb3674ff2c25b7b8f4c49541d2574652cfe616b6
patch 8.2.1086: possibly using freed memory when text properties used

Commit: https://github.com/vim/vim/commit/cf30643ae607ae1a97b50e19c622dc8303723fa2
Author: Bram Moolenaar <Bram@vim.org>
Date:   Mon Jun 29 20:40:37 2020 +0200

    patch 8.2.1086: possibly using freed memory when text properties used

    Problem:    Possibly using freed memory when text properties used when
                changing indent of a line.
    Solution:   Compute the offset before calling ml_replace().

diff --git a/src/indent.c b/src/indent.c
--- a/src/indent.c
+++ b/src/indent.c
@@ -757,6 +757,10 @@ set_indent(
     // Replace the line (unless undo fails).
     if (!(flags & SIN_UNDO) || u_savesub(curwin->w_cursor.lnum) == OK)
     {
+	colnr_T old_offset = (colnr_T)(p - oldline);
+	colnr_T new_offset = (colnr_T)(s - newline);
+
+	// this may free "newline"
 	ml_replace(curwin->w_cursor.lnum, newline, FALSE);
 	if (flags & SIN_CHANGED)
 	    changed_bytes(curwin->w_cursor.lnum, 0);
@@ -764,24 +768,24 @@ set_indent(
 	// Correct saved cursor position if it is in this line.
 	if (saved_cursor.lnum == curwin->w_cursor.lnum)
 	{
-	    if (saved_cursor.col >= (colnr_T)(p - oldline))
+	    if (saved_cursor.col >= old_offset)
 		// cursor was after the indent, adjust for the number of
 		// bytes added/removed
-		saved_cursor.col += ind_len - (colnr_T)(p - oldline);
-	    else if (saved_cursor.col >= (colnr_T)(s - newline))
+		saved_cursor.col += ind_len - old_offset;
+	    else if (saved_cursor.col >= new_offset)
 		// cursor was in the indent, and is now after it, put it back
 		// at the start of the indent (replacing spaces with TAB)
-		saved_cursor.col = (colnr_T)(s - newline);
+		saved_cursor.col = new_offset;
 	}
 #ifdef FEAT_PROP_POPUP
 	{
-	    int added = ind_len - (colnr_T)(p - oldline);
+	    int added = ind_len - old_offset;
 
 	    // When increasing indent this behaves like spaces were inserted at
 	    // the old indent, when decreasing indent it behaves like spaces
 	    // were deleted at the new indent.
 	    adjust_prop_columns(curwin->w_cursor.lnum,
-		 (colnr_T)(added > 0 ? (p - oldline) : ind_len), added, 0);
+			  added > 0 ? old_offset : (colnr_T)ind_len, added, 0);
 	}
 #endif
 	retval = TRUE;
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -755,6 +755,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1086,
+/**/
     1085,
 /**/
     1084,