From: Christian Brabandt <cb@256bit.org>
Date: Wed, 27 Sep 2023 22:42:36 +0000
Subject: CVE-2023-4752: heap use after free in ins_compl_get_exp()

Problem:  heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it

Signed-off-by: Christian Brabandt <cb@256bit.org>
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-4752
origin: https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139
bug: https://huntr.dev/bounties/85f62dd7-ed84-4fa2-b265-8a369a318757/

[backport]
ins_compl_get_exp is under sr/edit.c
---
 src/edit.c    | 2 +-
 src/version.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/edit.c b/src/edit.c
index f2521e1..428b69c 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -4752,7 +4752,7 @@ ins_compl_get_exp(pos_T *ini)
 	else
 	{
 	    /* Mark a buffer scanned when it has been scanned completely */
-	    if (type == 0 || type == CTRL_X_PATH_PATTERNS)
+	  if (buf_valid(ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS))
 		ins_buf->b_scanned = TRUE;
 
 	    compl_started = FALSE;
diff --git a/src/version.c b/src/version.c
index a03d79b..d863dd1 100644
--- a/src/version.c
+++ b/src/version.c
@@ -791,6 +791,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1858,
 /**/
     5126,
 /**/