From ee9166eb3b41846661a39b662dc7ebe8b5e15139 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Sun, 3 Sep 2023 21:24:33 +0200
Subject: [PATCH 33/52] patch 9.0.1858: [security] heap use after free in
 ins_compl_get_exp()

Problem:  heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it

Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/insexpand.c                   |  2 +-
 2 files changed, 1 insertions(+), 1 deletions(-)
 create mode 100644 src/testdir/crash/poc_tagfunc.vim

diff --git a/src/insexpand.c b/src/insexpand.c
index 3cfdface4..b767b4efd 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -3840,7 +3840,7 @@ ins_compl_get_exp(pos_T *ini)
 	else
 	{
 	    // Mark a buffer scanned when it has been scanned completely
-	    if (type == 0 || type == CTRL_X_PATH_PATTERNS)
+	    if (buf_valid(st.ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS))
 		st.ins_buf->b_scanned = TRUE;
 
 	    compl_started = FALSE;