# HG changeset patch
# User Bram Moolenaar <Bram@vim.org>
# Date 1593466204 -7200
# Node ID e01b20e3a720b24c930fd77f1eb8b7d9f1313d05
# Parent  6e6dc7d7b0402a99e874f9c664482a7a99e89d05
patch 8.2.1095: may use pointer after freeing it

Commit: https://github.com/vim/vim/commit/6b949615edac2dd33d5e865be8328561f296b045
Author: Bram Moolenaar <Bram@vim.org>
Date:   Mon Jun 29 23:18:42 2020 +0200

    patch 8.2.1095: may use pointer after freeing it

    Problem:    May use pointer after freeing it when text properties are used.
    Solution:   Update redo buffer before calling ml_replace().

diff --git a/src/spellsuggest.c b/src/spellsuggest.c
--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
@@ -676,8 +676,6 @@ spell_suggest(int count)
 	    mch_memmove(p, line, c);
 	    STRCPY(p + c, stp->st_word);
 	    STRCAT(p, sug.su_badptr + stp->st_orglen);
-	    ml_replace(curwin->w_cursor.lnum, p, FALSE);
-	    curwin->w_cursor.col = c;
 
 	    // For redo we use a change-word command.
 	    ResetRedobuff();
@@ -686,7 +684,10 @@ spell_suggest(int count)
 			    stp->st_wordlen + sug.su_badlen - stp->st_orglen);
 	    AppendCharToRedobuff(ESC);
 
-	    // After this "p" may be invalid.
+	    // "p" may be freed here
+	    ml_replace(curwin->w_cursor.lnum, p, FALSE);
+	    curwin->w_cursor.col = c;
+
 	    changed_bytes(curwin->w_cursor.lnum, c);
 	}
     }
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -755,6 +755,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1095,
+/**/
     1094,
 /**/
     1093,