commit c604f3ad4782fde770617ff688e1ceac0dc1bd7c

Author: Tomas Korbar <tkorbar@redhat.com>

Date:   Thu Feb 3 10:14:42 2022 +0100

    Fix using freed memory when substitute with function call

diff --git a/src/ex_cmds.c b/src/ex_cmds.c

index e69fbd3..0788573 100644

--- a/src/ex_cmds.c

+++ b/src/ex_cmds.c

@@ -4767,6 +4767,7 @@ do_sub(exarg_T *eap)

     int		save_do_all;		/* remember user specified 'g' flag */

     int		save_do_ask;		/* remember user specified 'c' flag */

     char_u	*pat = NULL, *sub = NULL;	/* init for GCC */

+	char_u	*sub_copy = NULL;

     int		delimiter;

     int		sublen;

     int		got_quit = FALSE;

@@ -5062,11 +5063,20 @@ do_sub(exarg_T *eap)

     sub_firstline = NULL;

     /*

-     * ~ in the substitute pattern is replaced with the old pattern.

-     * We do it here once to avoid it to be replaced over and over again.

-     * But don't do it when it starts with "\=", then it's an expression.

+     * If the substitute pattern starts with "\=" then it's an expression.

+     * Make a copy, a recursive function may free it.

+     * Otherwise, '~' in the substitute pattern is replaced with the old

+     * pattern.  We do it here once to avoid it to be replaced over and over

+     * again.

      */

-    if (!(sub[0] == '\\' && sub[1] == '='))

+    if (sub[0] == '\\' && sub[1] == '=')

+    {

+	sub = vim_strsave(sub);

+	if (sub == NULL)

+	    return;

+	sub_copy = sub;

+    }

+    else

 	sub = regtilde(sub, p_magic);

     /*

@@ -5825,6 +5835,7 @@ outofmem:

 #endif

     vim_regfree(regmatch.regprog);

+	vim_free(sub_copy);

     /* Restore the flag values, they can be used for ":&&". */

     subflags.do_all = save_do_all;