vim-patch:9.0.0246: using freed memory when 'tagfunc' deletes the buffer

Problem:    Using freed memory when 'tagfunc' deletes the buffer.
Solution:   Make a copy of the tag name.

https://github.com/vim/vim/commit/adce965162dd89bf29ee0e5baf53652e7515762c

Co-authored-by: Bram Moolenaar <Bram@vim.org>

2 files changed, 18 insertions, 1 deletions

diff --git a/src/nvim/tag.c b/src/nvim/tag.c
index d6e62cff6d..5216919d98 100644
--- a/src/nvim/tag.c
+++ b/src/nvim/tag.c
@@ -199,6 +199,7 @@ void do_tag(char *tag, int type, int count, int forceit, int verbose)
   int skip_msg = false;
   char_u *buf_ffname = (char_u *)curbuf->b_ffname;  // name for priority computation
   int use_tfu = 1;
+  char *tofree = NULL;
 
   // remember the matches for the last used tag
   static int num_matches = 0;
@@ -450,7 +451,10 @@ void do_tag(char *tag, int type, int count, int forceit, int verbose)
 
     // When desired match not found yet, try to find it (and others).
     if (use_tagstack) {
-      name = tagstack[tagstackidx].tagname;
+      // make a copy, the tagstack may change in 'tagfunc'
+      name = xstrdup(tagstack[tagstackidx].tagname);
+      xfree(tofree);
+      tofree = name;
     } else if (g_do_tagpreview != 0) {
       name = ptag_entry.tagname;
     } else {
@@ -681,6 +685,7 @@ end_do_tag:
   }
   postponed_split = 0;          // don't split next time
   g_do_tagpreview = 0;          // don't do tag preview next time
+  xfree(tofree);
 }
 
 // List all the matching tags.
diff --git a/src/nvim/testdir/test_tagfunc.vim b/src/nvim/testdir/test_tagfunc.vim
index e3085b9395..ad761f1b23 100644
--- a/src/nvim/testdir/test_tagfunc.vim
+++ b/src/nvim/testdir/test_tagfunc.vim
@@ -273,4 +273,16 @@ func Test_tagfunc_callback()
   %bw!
 endfunc
 
+func Test_tagfunc_wipes_buffer()
+  func g:Tag0unc0(t,f,o)
+   bwipe
+  endfunc
+  set tagfunc=g:Tag0unc0
+  new
+  cal assert_fails('tag 0', 'E987:')
+
+  delfunc g:Tag0unc0
+  set tagfunc=
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab