From 4a8af9cc99cd97032d85819601dc44d6de852c1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eliseo=20Marti=CC=81nez?= <eliseomarmol@gmail.com>
Date: Fri, 14 Nov 2014 09:17:16 +0100
Subject: [PATCH] Fix warnings: undo.c: u_blockfree(): Use after free: FP.

Problem    : Use-after-free @ 2686.
Diagnostic : False positive.
Rationale  : Suggested error path is taking false branch
             `uhp->uh_next.ptr != NULL` @ 2506, which cannot happen when
             `uhp == buf->b_u_oldhead`.
Resolution : Assert `buf->b_u_oldhead` is changed after freeing old one.
---
 src/nvim/undo.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/nvim/undo.c b/src/nvim/undo.c
index b72d8ddb4f..2ab31b6cfd 100644
--- a/src/nvim/undo.c
+++ b/src/nvim/undo.c
@@ -80,6 +80,7 @@
 #define UH_MAGIC 0x18dade       /* value for uh_magic when in use */
 #define UE_MAGIC 0xabc123       /* value for ue_magic when in use */
 
+#include <assert.h>
 #include <inttypes.h>
 #include <errno.h>
 #include <stdbool.h>
@@ -2682,8 +2683,11 @@ void u_undoline(void)
  */
 void u_blockfree(buf_T *buf)
 {
-  while (buf->b_u_oldhead != NULL)
+  while (buf->b_u_oldhead != NULL) {
+    u_header_T *previous_oldhead = buf->b_u_oldhead;
     u_freeheader(buf, buf->b_u_oldhead, NULL);
+    assert(buf->b_u_oldhead != previous_oldhead);
+  }
   free(buf->b_u_line_ptr);
 }