From a916696a130b2bb9517c01f77148dfb77ef304fd Mon Sep 17 00:00:00 2001
From: oni-link <knil.ino@gmail.com>
Date: Thu, 12 Mar 2015 14:05:16 +0100
Subject: [PATCH 1/2] syntax.c: Prevent use after free for variable
 g:colors_name.

ASan spotted a problem when using 'set background={light,dark}' with
color scheme solarized.
While loading the colors for color scheme 'g:colors_name', the pointer
on the value for this variable can become invalid, because of an 'unlet
colors_name' (part of an :highlight clear, syntax.c:6173).

To prevent the use of the freed value, decouple the value from
'g:colors_name' before calling load_colors() with it.
---
 src/nvim/syntax.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/nvim/syntax.c b/src/nvim/syntax.c
index 07f18bf93b..3f9466fd7c 100644
--- a/src/nvim/syntax.c
+++ b/src/nvim/syntax.c
@@ -5938,15 +5938,22 @@ init_highlight (
   int i;
   char        **pp;
   static int had_both = FALSE;
-  char_u      *p;
 
   /*
    * Try finding the color scheme file.  Used when a color file was loaded
    * and 'background' or 't_Co' is changed.
    */
-  p = get_var_value((char_u *)"g:colors_name");
-  if (p != NULL && load_colors(p) == OK)
-    return;
+  char_u *p = get_var_value((char_u *)"g:colors_name");
+  if (p != NULL) {
+    // Value of g:colors_name could be freed in load_colors() and make
+    // p invalid, so copy it.
+    char_u *copy_p = vim_strsave(p);
+    bool okay = load_colors(copy_p);
+    free(copy_p);
+    if (okay) {
+        return;
+    }
+  }
 
   /*
    * Didn't use a color file, use the compiled-in colors.

From 0d8a10f6c5180511b36925bb7c66452c8126eb58 Mon Sep 17 00:00:00 2001
From: oni-link <knil.ino@gmail.com>
Date: Fri, 13 Mar 2015 18:31:52 +0100
Subject: [PATCH 2/2] vim-patch: mark 7.4.660 as included

refs #2138

vim-patch: https://code.google.com/p/vim/source/detail?r=476a12a96bb1e5ccc71b1c1010d529deca271617
---
 src/nvim/version.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/nvim/version.c b/src/nvim/version.c
index 4d25c63111..f876e78388 100644
--- a/src/nvim/version.c
+++ b/src/nvim/version.c
@@ -178,6 +178,10 @@ static char *(features[]) = {
 
 // clang-format off
 static int included_patches[] = {
+  //662,
+  //661,
+  660,
+  //659,
   //658,
   //657,
   //656,