vim-patch:9.0.1858: [security] heap use after free in ins_compl_get_exp()

Problem:  heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it

ee9166eb3b

Co-authored-by: Christian Brabandt <cb@256bit.org>

src/nvim/insexpand.c

@@ -3435,7 +3435,7 @@ static int ins_compl_get_exp(pos_T *ini)
       compl_started = true;
     } else {
       // Mark a buffer scanned when it has been scanned completely
-      if (type == 0 || type == CTRL_X_PATH_PATTERNS) {
+      if (buf_valid(st.ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS)) {
         assert(st.ins_buf);
         st.ins_buf->b_scanned = true;
       }

test/old/testdir/crash/poc_tagfunc.vim

@@ -0,0 +1,6 @@
+fu Tagfunc(t,f,o)
+  bw
+endf
+set tagfunc=Tagfunc
+n0
+sil0norm0i

test/old/testdir/test_crash.vim

@@ -39,12 +39,17 @@ func Test_crash1()
     \ '  && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\<cr>")
   " clean up
   call delete('Xerr')
-
   " This test takes a bit longer
   call TermWait(buf, 200)
 
+  let file = 'crash/poc_tagfunc.vim'
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+
+  call TermWait(buf, 100)
+
   " clean up
-  call delete('Xerr')
   exe buf .. "bw!"
 
   sp X_crash1_result.txt
@@ -54,6 +59,7 @@ func Test_crash1()
       \ 'crash 2: [OK]',
       \ 'crash 3: [OK]',
       \ 'crash 4: [OK]',
+      \ 'crash 5: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))