fix(api): fix nvim_buf_set_text heap-use-after-free (#19644)

The line returned but ml_get_buf() may be freed by another call to
ml_get_buf(), so it is necessary to make a copy.

1 files changed, 12 insertions, 0 deletions

diff --git a/test/functional/api/buffer_spec.lua b/test/functional/api/buffer_spec.lua
index dc668e7201..8f6fc666c9 100644
--- a/test/functional/api/buffer_spec.lua
+++ b/test/functional/api/buffer_spec.lua
@@ -7,6 +7,7 @@ local meths = helpers.meths
 local funcs = helpers.funcs
 local request = helpers.request
 local exc_exec = helpers.exc_exec
+local exec_lua = helpers.exec_lua
 local feed_command = helpers.feed_command
 local insert = helpers.insert
 local NIL = helpers.NIL
@@ -565,6 +566,17 @@ describe('api/buf', function()
       eq('start is higher than end', pcall_err(set_text, 1, 0, 0, 0, {}))
       eq('start is higher than end', pcall_err(set_text, 0, 1, 0, 0, {}))
     end)
+
+    it('no heap-use-after-free when called consecutively #19643', function()
+      set_text(0, 0, 0, 0, {'one', '', '', 'two'})
+      eq({'one', '', '', 'two'}, get_lines(0, 4, true))
+      meths.win_set_cursor(0, {1, 0})
+      exec_lua([[
+        vim.api.nvim_buf_set_text(0, 0, 3, 1, 0, {''})
+        vim.api.nvim_buf_set_text(0, 0, 3, 1, 0, {''})
+      ]])
+      eq({'one', 'two'}, get_lines(0, 2, true))
+    end)
   end)
 
   describe('nvim_buf_get_text', function()