From 8a01f969c198eeb655ad2f96f2796a6f6f4a1924 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 14 Nov 2016 21:50:00 +0100
Subject: patch 8.0.0085 Problem:    Using freed memory with recursive function
 call. (Dominique Pelle) Solution:   Make a copy of the function name.

---
 src/eval.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'src/eval.c')

diff --git a/src/eval.c b/src/eval.c
index e92a97f18..7ca129b37 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -4339,10 +4339,17 @@ eval7(
 		 * use its contents. */
 		s = deref_func_name(s, &len, &partial, !evaluate);
 
-		/* Invoke the function. */
-		ret = get_func_tv(s, len, rettv, arg,
-			  curwin->w_cursor.lnum, curwin->w_cursor.lnum,
-			  &len, evaluate, partial, NULL);
+		/* Need to make a copy, in case evaluating the arguments makes
+		 * the name invalid. */
+		s = vim_strsave(s);
+		if (s == NULL)
+		    ret = FAIL;
+		else
+		    /* Invoke the function. */
+		    ret = get_func_tv(s, len, rettv, arg,
+			      curwin->w_cursor.lnum, curwin->w_cursor.lnum,
+			      &len, evaluate, partial, NULL);
+		vim_free(s);
 
 		/* If evaluate is FALSE rettv->v_type was not set in
 		 * get_func_tv, but it's needed in handle_subscript() to parse
-- 
cgit v1.2.1