From ab456bc304965d83585cd248284cb36c96927457 Mon Sep 17 00:00:00 2001
From: Sean Dewar <seandewar@users.noreply.github.com>
Date: Sat, 12 Mar 2022 08:25:28 +0000
Subject: [PATCH] vim-patch:8.2.3779: using freed memory when defining a user
 command recursively (#17688)

Problem:    Using freed memory when defining a user command from a user
            command.
Solution:   Do not use the command pointer after executing the command.
            (closes vim/vim#9318)
https://github.com/vim/vim/commit/205f29c3e9b895dbaa4f738046da455a93c3812a
---
 src/nvim/ex_docmd.c                    | 10 ++++++++--
 src/nvim/testdir/test_usercommands.vim | 20 ++++++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/src/nvim/ex_docmd.c b/src/nvim/ex_docmd.c
index a140d76858..63dc1e539e 100644
--- a/src/nvim/ex_docmd.c
+++ b/src/nvim/ex_docmd.c
@@ -6230,7 +6230,6 @@ static void do_ucmd(exarg_T *eap)
   size_t split_len = 0;
   char_u *split_buf = NULL;
   ucmd_T *cmd;
-  const sctx_T save_current_sctx = current_sctx;
 
   if (eap->cmdidx == CMD_USER) {
     cmd = USER_CMD(eap->useridx);
@@ -6320,12 +6319,19 @@ static void do_ucmd(exarg_T *eap)
     buf = xmalloc(totlen + 1);
   }
 
+  sctx_T save_current_sctx;
+  bool restore_current_sctx = false;
   if ((cmd->uc_argt & EX_KEEPSCRIPT) == 0) {
+    restore_current_sctx = true;
+    save_current_sctx = current_sctx;
     current_sctx.sc_sid = cmd->uc_script_ctx.sc_sid;
   }
   (void)do_cmdline(buf, eap->getline, eap->cookie,
                    DOCMD_VERBOSE|DOCMD_NOWAIT|DOCMD_KEYTYPED);
-  if ((cmd->uc_argt & EX_KEEPSCRIPT) == 0) {
+
+  // Careful: Do not use "cmd" here, it may have become invalid if a user
+  // command was added.
+  if (restore_current_sctx) {
     current_sctx = save_current_sctx;
   }
   xfree(buf);
diff --git a/src/nvim/testdir/test_usercommands.vim b/src/nvim/testdir/test_usercommands.vim
index 967ad85a64..e96e3d94e5 100644
--- a/src/nvim/testdir/test_usercommands.vim
+++ b/src/nvim/testdir/test_usercommands.vim
@@ -572,4 +572,24 @@ func Test_delcommand_buffer()
   call assert_equal(0, exists(':Global'))
 endfunc
 
+func DefCmd(name)
+  if len(a:name) > 30
+    return
+  endif
+  exe 'command ' .. a:name .. ' call DefCmd("' .. a:name .. 'x")'
+  echo a:name
+  exe a:name
+endfunc
+
+func Test_recursive_define()
+  call DefCmd('Command')
+
+  let name = 'Command'
+  while len(name) < 30
+    exe 'delcommand ' .. name
+    let name ..= 'x'
+  endwhile
+endfunc
+
+
 " vim: shiftwidth=2 sts=2 expandtab