patch 8.0.0078v8.0.0078

Problem:    Accessing freed memory in quickfix.
Solution:   Reset pointer when freeing 'errorformat'. (Domenique Pelle)

3 files changed, 15 insertions, 1 deletions

diff --git a/src/quickfix.c b/src/quickfix.c
index a563fa946..631aaeaaf 100644
--- a/src/quickfix.c
+++ b/src/quickfix.c
@@ -114,6 +114,8 @@ struct efm_S
     int		    conthere;	/* %> used */
 };
 
+static efm_T	*fmt_start = NULL; /* cached across qf_parse_line() calls */
+
 static int	qf_init_ext(qf_info_T *qi, char_u *efile, buf_T *buf, typval_T *tv, char_u *errorformat, int newlist, linenr_T lnumfirst, linenr_T lnumlast, char_u *qf_title);
 static void	qf_store_title(qf_info_T *qi, char_u *title);
 static void	qf_new_list(qf_info_T *qi, char_u *qf_title);
@@ -389,6 +391,7 @@ free_efm_list(efm_T **efm_first)
 	vim_regfree(efm_ptr->prog);
 	vim_free(efm_ptr);
     }
+    fmt_start = NULL;
 }
 
 /* Parse 'errorformat' option */
@@ -786,7 +789,6 @@ qf_parse_line(
 	qffields_T	*fields)
 {
     efm_T		*fmt_ptr;
-    static efm_T	*fmt_start = NULL; /* cached across calls */
     char_u		*ptr;
     int			len;
     int			i;
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index 118a015cb..5af46e839 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -1648,3 +1648,13 @@ function! Test_Autocmd_Exception()
 
   set efm&vim
 endfunction
+
+function Test_caddbuffer()
+  " This used to cause a memory access in freed memory
+  let save_efm = &efm
+  set efm=%EEEE%m,%WWWW,%+CCCC%>%#,%GGGG%.#
+  cgetexpr ['WWWW', 'EEEE', 'CCCC']
+  let &efm = save_efm
+  cad
+  bwipe!
+endfunc
diff --git a/src/version.c b/src/version.c
index 9f3810ef8..4d51452e4 100644
--- a/src/version.c
+++ b/src/version.c
@@ -765,6 +765,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    78,
+/**/
     77,
 /**/
     76,