vim-patch:8.2.1086: possibly using freed memory when text properties used

Problem:    Possibly using freed memory when text properties used when
            changing indent of a line.
Solution:   Compute the offset before calling ml_replace().
cf30643ae6

src/nvim/indent.c

@@ -295,13 +295,17 @@ int set_indent(int size, int flags)
 
   // Replace the line (unless undo fails).
   if (!(flags & SIN_UNDO) || (u_savesub(curwin->w_cursor.lnum) == OK)) {
+    const colnr_T old_offset = (colnr_T)(p - oldline);
+    const colnr_T new_offset = (colnr_T)(s - newline);
+
+    // this may free "newline"
     ml_replace(curwin->w_cursor.lnum, newline, false);
     if (!(flags & SIN_NOMARK)) {
       extmark_splice_cols(curbuf,
                           (int)curwin->w_cursor.lnum-1,
                           skipcols,
-                          (int)(p-oldline) - skipcols,
+                          old_offset - skipcols,
-                          (int)(s-newline) - skipcols,
+                          new_offset - skipcols,
                           kExtmarkUndo);
     }
 
@@ -311,15 +315,14 @@ int set_indent(int size, int flags)
 
     // Correct saved cursor position if it is in this line.
     if (saved_cursor.lnum == curwin->w_cursor.lnum) {
-      if (saved_cursor.col >= (colnr_T)(p - oldline)) {
+      if (saved_cursor.col >= old_offset) {
         // Cursor was after the indent, adjust for the number of
         // bytes added/removed.
-        saved_cursor.col += ind_len - (colnr_T)(p - oldline);
+        saved_cursor.col += ind_len - old_offset;
-
+      } else if (saved_cursor.col >= new_offset) {
-      } else if (saved_cursor.col >= (colnr_T)(s - newline)) {
         // Cursor was in the indent, and is now after it, put it back
         // at the start of the indent (replacing spaces with TAB).
-        saved_cursor.col = (colnr_T)(s - newline);
+        saved_cursor.col = new_offset;
       }
     }
     retval = true;