From d77f9d595eb5f301b39b4373f2900a13c0ca30e2 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 4 Sep 2016 15:13:39 +0200
Subject: patch 7.4.2323 Problem:    Using freed memory when using
 'formatexpr'. (Dominique Pelle) Solution:   Make a copy of 'formatexpr'
 before evaluating it.

---
 src/ops.c                   |  9 ++++++++-
 src/testdir/test_normal.vim | 24 ++++++++++++++++++++++++
 src/version.c               |  2 ++
 3 files changed, 34 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/ops.c b/src/ops.c
index c03c7be2e7..4bef6c5a21 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -4741,6 +4741,7 @@ fex_format(
     int		use_sandbox = was_set_insecurely((char_u *)"formatexpr",
 								   OPT_LOCAL);
     int		r;
+    char_u	*fex;
 
     /*
      * Set v:lnum to the first line number and v:count to the number of lines.
@@ -4750,16 +4751,22 @@ fex_format(
     set_vim_var_nr(VV_COUNT, count);
     set_vim_var_char(c);
 
+    /* Make a copy, the option could be changed while calling it. */
+    fex = vim_strsave(curbuf->b_p_fex);
+    if (fex == NULL)
+	return 0;
+
     /*
      * Evaluate the function.
      */
     if (use_sandbox)
 	++sandbox;
-    r = (int)eval_to_number(curbuf->b_p_fex);
+    r = (int)eval_to_number(fex);
     if (use_sandbox)
 	--sandbox;
 
     set_vim_var_string(VV_CHAR, NULL, -1);
+    vim_free(fex);
 
     return r;
 }
diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
index 98cb7754bb..34561ffbab 100644
--- a/src/testdir/test_normal.vim
+++ b/src/testdir/test_normal.vim
@@ -192,6 +192,30 @@ func! Test_normal05_formatexpr()
   bw!
 endfu
 
+func Test_normal05_formatexpr_newbuf()
+  " Edit another buffer in the 'formatexpr' function
+  new
+  func! Format()
+    edit another
+  endfunc
+  set formatexpr=Format()
+  norm gqG
+  bw!
+  set formatexpr=
+endfunc
+
+func Test_normal05_formatexpr_setopt()
+  " Change the 'formatexpr' value in the function
+  new
+  func! Format()
+    set formatexpr=
+  endfunc
+  set formatexpr=Format()
+  norm gqG
+  bw!
+  set formatexpr=
+endfunc
+
 func! Test_normal06_formatprg()
   " basic test for formatprg
   " only test on non windows platform
diff --git a/src/version.c b/src/version.c
index 155d9dda20..85121d6e32 100644
--- a/src/version.c
+++ b/src/version.c
@@ -763,6 +763,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2323,
 /**/
     2322,
 /**/
-- 
cgit v1.2.3