# HG changeset patch
# User Bram Moolenaar <Bram@vim.org>
# Date 1685901604 -7200
# Node ID cceee401aa51349756fa47393158135886ba2c93
# Parent  f9fe29a477a2f6a8b80f63299bf0ea5ad76857a5
patch 9.0.1606: using freed memory when 'foldcolumn' is set

Commit: https://github.com/vim/vim/commit/58e1e010454113a7c8a9b0327c54d2ee7d73d2fd
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Sun Jun 4 18:46:28 2023 +0100

    patch 9.0.1606: using freed memory when 'foldcolumn' is set

    Problem:    Using freed memory when 'foldcolumn' is set.
    Solution:   Save extra pointer to free it later. (closes https://github.com/vim/vim/issues/12492)

diff --git a/src/drawline.c b/src/drawline.c
--- a/src/drawline.c
+++ b/src/drawline.c
@@ -150,6 +150,7 @@ typedef struct {
     // saved "extra" items for when draw_state becomes WL_LINE (again)
     int		saved_n_extra;
     char_u	*saved_p_extra;
+    char_u	*saved_p_extra_free;
     int		saved_extra_attr;
     int		saved_n_attr_skip;
     int		saved_extra_for_textprop;
@@ -230,7 +231,7 @@ handle_foldcolumn(win_T *wp, winlinevars
 	return;
 
     wlv->n_extra = (int)fill_foldcolumn(wlv->p_extra_free,
-	    wp, FALSE, wlv->lnum);
+							 wp, FALSE, wlv->lnum);
     wlv->p_extra_free[wlv->n_extra] = NUL;
     wlv->p_extra = wlv->p_extra_free;
     wlv->c_extra = NUL;
@@ -979,6 +980,9 @@ win_line_start(win_T *wp UNUSED, winline
 	wlv->draw_state = WL_START;
 	wlv->saved_n_extra = wlv->n_extra;
 	wlv->saved_p_extra = wlv->p_extra;
+	vim_free(wlv->saved_p_extra_free);
+	wlv->saved_p_extra_free = wlv->p_extra_free;
+	wlv->p_extra_free = NULL;
 	wlv->saved_extra_attr = wlv->extra_attr;
 	wlv->saved_n_attr_skip = wlv->n_attr_skip;
 	wlv->saved_extra_for_textprop = wlv->extra_for_textprop;
@@ -1015,6 +1019,9 @@ win_line_continue(winlinevars_T *wlv)
 	wlv->c_extra = wlv->saved_c_extra;
 	wlv->c_final = wlv->saved_c_final;
 	wlv->p_extra = wlv->saved_p_extra;
+	vim_free(wlv->p_extra_free);
+	wlv->p_extra_free = wlv->saved_p_extra_free;
+	wlv->saved_p_extra_free = NULL;
 	wlv->extra_attr = wlv->saved_extra_attr;
 	wlv->n_attr_skip = wlv->saved_n_attr_skip;
 	wlv->extra_for_textprop = wlv->saved_extra_for_textprop;
@@ -4119,5 +4126,6 @@ win_line(
 #endif
 
     vim_free(wlv.p_extra_free);
+    vim_free(wlv.saved_p_extra_free);
     return wlv.row;
 }
diff --git a/src/testdir/test_fold.vim b/src/testdir/test_fold.vim
--- a/src/testdir/test_fold.vim
+++ b/src/testdir/test_fold.vim
@@ -1755,4 +1755,18 @@ func Test_fold_screenrow_motion()
   call assert_equal(1, line('.'))
 endfunc
 
+" This was using freed memory
+func Test_foldcolumn_linebreak_control_char()
+  CheckFeature linebreak
+
+  5vnew
+  setlocal foldcolumn=1 linebreak
+  call setline(1, "aaa\<C-A>b")
+  redraw
+  call assert_equal([' aaa^', ' Ab  '], ScreenLines([1, 2], 5))
+  call assert_equal(screenattr(1, 5), screenattr(2, 2))
+
+  bwipe!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -696,6 +696,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1606,
+/**/
     1605,
 /**/
     1604,