From: Christian Brabandt <cb@256bit.org>
Date: Sun, 3 Sep 2023 21:24:33 +0200
Subject: patch 9.0.1858: [security] heap use after free in
 ins_compl_get_exp()

Problem:  heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it

Signed-off-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit ee9166eb3b41846661a39b662dc7ebe8b5e15139)
---
 src/insexpand.c                   | 2 +-
 src/testdir/crash/poc_tagfunc.vim | 6 ++++++
 src/version.c                     | 2 ++
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 src/testdir/crash/poc_tagfunc.vim

diff --git a/src/insexpand.c b/src/insexpand.c
index 2737f2b..acd0a3b 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -3851,7 +3851,7 @@ ins_compl_get_exp(pos_T *ini)
 	else
 	{
 	    // Mark a buffer scanned when it has been scanned completely
-	    if (type == 0 || type == CTRL_X_PATH_PATTERNS)
+	    if (buf_valid(st.ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS))
 		st.ins_buf->b_scanned = TRUE;
 
 	    compl_started = FALSE;
diff --git a/src/testdir/crash/poc_tagfunc.vim b/src/testdir/crash/poc_tagfunc.vim
new file mode 100644
index 0000000..49d9b6f
--- /dev/null
+++ b/src/testdir/crash/poc_tagfunc.vim
@@ -0,0 +1,6 @@
+fu Tagfunc(t,f,o)
+  bw
+endf
+set tagfunc=Tagfunc
+n0
+sil0norm0i
diff --git a/src/version.c b/src/version.c
index 244264c..49a8d6b 100644
--- a/src/version.c
+++ b/src/version.c
@@ -695,6 +695,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1858,
 /**/
     1848,
 /**/