From: Markus Koschany <apo@debian.org>
Date: Sun, 6 Nov 2022 23:12:54 +0100
Subject: CVE-2022-2946

Origin: https://github.com/vim/vim/commit/adce965162dd89bf29ee0e5baf53652e7515762c
---
 src/tag.c                    |  9 ++++++++-
 src/testdir/test_tagcase.vim | 12 ++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/tag.c b/src/tag.c
index b1915e1..4e96da3 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -146,6 +146,7 @@ do_tag(
     int		attr;
     int		use_tagstack;
     int		skip_msg = FALSE;
+    char_u	*tofree = NULL;
     char_u	*buf_ffname = curbuf->b_ffname;	    /* name to use for
 						       priority computation */
 
@@ -486,7 +487,12 @@ do_tag(
 	 * When desired match not found yet, try to find it (and others).
 	 */
 	if (use_tagstack)
-	    name = tagstack[tagstackidx].tagname;
+	{
+	    // make a copy, the tagstack may change in 'tagfunc'
+	    name = vim_strsave(tagstack[tagstackidx].tagname);
+	    vim_free(tofree);
+	    tofree = name;
+	}
 #if defined(FEAT_QUICKFIX)
 	else if (g_do_tagpreview != 0)
 	    name = ptag_entry.tagname;
@@ -1078,6 +1084,7 @@ end_do_tag:
     g_do_tagpreview = 0;	/* don't do tag preview next time */
 # endif
 
+    vim_free(tofree);
 #ifdef FEAT_CSCOPE
     return jumped_to_tag;
 #else