From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 17 Sep 2022 19:43:23 +0100
Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
 autocmd

Problem:    Using freed memory with cmdwin and BufEnter autocmd.
Solution:   Make sure pointer to b_p_iminsert is still valid.
---
 src/ex_getln.c              |  8 ++++++--
 src/testdir/test_cmdwin.vim | 10 ++++++++++
 src/version.c               |  2 ++
 3 files changed, 18 insertions(+), 2 deletions(-)

Backport: rewrote b_im_ptr handling

diff --git a/src/ex_getln.c b/src/ex_getln.c
index 70436b31f05e..a4fb61145c96 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -858,6 +858,7 @@ getcmdline_int(
 #endif
     expand_T	xpc;
     long	*b_im_ptr = NULL;
+    buf_T	*b_im_ptr_buf = NULL;	// buffer where b_im_ptr is valid
     struct cmdline_info save_ccline;
     int		did_save_ccline = FALSE;
     int		cmdline_type;
@@ -968,6 +969,7 @@ getcmdline_int(
 	    b_im_ptr = &curbuf->b_p_iminsert;
 	else
 	    b_im_ptr = &curbuf->b_p_imsearch;
+	b_im_ptr_buf = curbuf;
 	if (*b_im_ptr == B_IMODE_LMAP)
 	    State |= LANGMAP;
 #ifdef HAVE_INPUT_METHOD
@@ -1718,7 +1720,7 @@ getcmdline_int(
 #ifdef HAVE_INPUT_METHOD
 		    im_set_active(FALSE);	/* Disable input method */
 #endif
-		    if (b_im_ptr != NULL)
+		    if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
 		    {
 			if (State & LANGMAP)
 			    *b_im_ptr = B_IMODE_LMAP;
@@ -1732,7 +1734,7 @@ getcmdline_int(
 		    /* There are no ":lmap" mappings, toggle IM.  When
 		     * 'imdisable' is set don't try getting the status, it's
 		     * always off. */
-		    if ((p_imdisable && b_im_ptr != NULL)
+ 		    if ((p_imdisable && b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
 			    ? *b_im_ptr == B_IMODE_IM : im_get_status())
 		    {
 			im_set_active(FALSE);	/* Disable input method */
@@ -1742,12 +1744,12 @@ getcmdline_int(
 		    else
 		    {
 			im_set_active(TRUE);	/* Enable input method */
-			if (b_im_ptr != NULL)
+			if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
 			    *b_im_ptr = B_IMODE_IM;
 		    }
 		}
 #endif
-		if (b_im_ptr != NULL)
+		if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
 		{
 		    if (b_im_ptr == &curbuf->b_p_iminsert)
 			set_iminsert_global();
@@ -2476,7 +2478,8 @@ getcmdline_int(
 
     State = save_State;
 #ifdef HAVE_INPUT_METHOD
-    if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
+    if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
+						  && *b_im_ptr != B_IMODE_LMAP)
 	im_save_status(b_im_ptr);
     im_set_active(FALSE);
 #endif
diff --git a/src/testdir/test_cmdwin.vim b/src/testdir/test_cmdwin.vim
index d62673aba254..fe849bcc1686 100644
--- /dev/null
+++ b/src/testdir/test_cmdwin.vim
@@ -0,0 +0,12 @@
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+  au BufEnter * next 0| file 
+  edit 0
+  silent! norm q/
+
+  au! BufEnter
+  bwipe!
+endfunc
+
+
+" vim: shiftwidth=2 sts=2 expandtab
--- a/src/testdir/Make_all.mak
+++ b/src/testdir/Make_all.mak
@@ -89,6 +89,7 @@
 	test_clientserver \
 	test_close_count \
 	test_cmdline \
+	test_cmdwin \
 	test_command_count \
 	test_comparators \
 	test_compiler \
--- a/src/version.c
+++ b/src/version.c
@@ -2618,6 +2618,7 @@
     "8.2.3403",
     "8.2.3409",
     "8.2.3428",
+    "9.0.0490",
 /**/
     NULL
 };