From: Markus Koschany <apo@debian.org>
Date: Mon, 7 Nov 2022 01:01:37 +0100
Subject: CVE-2022-3705

Origin: https://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e731
---
 src/quickfix.c                |  6 ++++++
 src/testdir/test_quickfix.vim | 15 +++++++++++++++
 src/version.c                 |  2 ++
 3 files changed, 23 insertions(+)

diff --git a/src/quickfix.c b/src/quickfix.c
index 3bfa027..d6f773b 100644
--- a/src/quickfix.c
+++ b/src/quickfix.c
@@ -4274,6 +4274,9 @@ qf_update_buffer(qf_info_T *qi, qfline_T *old_last)
 	// when the added lines are not visible.
 	if ((win = qf_find_win(qi)) != NULL && old_line_count < win->w_botline)
 	    redraw_buf_later(buf, NOT_VALID);
+
+	// always called after incr_quickfix_busy()
+	decr_quickfix_busy();
     }
 }
 
@@ -4408,6 +4411,9 @@ qf_fill_buffer(qf_info_T *qi, buf_T *buf, qfline_T *old_last)
 		break;
 	}
 
+	// autocommands may cause trouble
+	incr_quickfix_busy();
+
 	if (old_last == NULL)
 	    // Delete the empty line which is now at the end
 	    (void)ml_delete(lnum + 1, FALSE);
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index 2e5fffa..860e417 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -3931,3 +3931,18 @@ func Test_lopen_bwipe()
   delfunc R
 endfunc
 
+func Test_filetype_autocmd()
+  " this changes the location list while it is in use to fill a buffer
+  lexpr ''
+  lopen
+  augroup FT_loclist
+    au FileType * call setloclist(0, [], 'f')
+  augroup END
+  silent! lolder
+  lexpr ''
+
+  augroup FT_loclist
+    au! FileType
+  augroup END
+endfunc
+
diff --git a/src/version.c b/src/version.c
index cd174b0..28f8753 100644
--- a/src/version.c
+++ b/src/version.c
@@ -791,6 +791,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    805,
 /**/
     5024,
 /**/