From 710546c5e93cd433bd2eb566df52b58e3583c386 Mon Sep 17 00:00:00 2001
From: Jurica Bradaric <jbradaric@gmail.com>
Date: Mon, 17 Jul 2017 15:53:23 +0200
Subject: vim-patch:8.0.0085

Problem:    Using freed memory with recursive function call. (Dominique Pelle)
Solution:   Make a copy of the function name.

https://github.com/vim/vim/commit/8a01f969c198eeb655ad2f96f2796a6f6f4a1924
---
 src/nvim/eval.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/nvim/eval.c')

diff --git a/src/nvim/eval.c b/src/nvim/eval.c
index e5bb7f1b38..08b3d1dbd7 100644
--- a/src/nvim/eval.c
+++ b/src/nvim/eval.c
@@ -4239,11 +4239,17 @@ static int eval7(
         // use its contents.
         s = deref_func_name((const char *)s, &len, &partial, !evaluate);
 
+        // Need to make a copy, in case evaluating the arguments makes
+        // the name invalid.
+        s = xmemdupz(s, len);
+
         // Invoke the function.
         ret = get_func_tv(s, len, rettv, arg,
                           curwin->w_cursor.lnum, curwin->w_cursor.lnum,
                           &len, evaluate, partial, NULL);
 
+        xfree(s);
+
         // If evaluate is false rettv->v_type was not set in
         // get_func_tv, but it's needed in handle_subscript() to parse
         // what follows. So set it here.
-- 
cgit