vim-patch:8.2.3779: using freed memory when defining a user command recursively (#17688)

Problem:    Using freed memory when defining a user command from a user
            command.
Solution:   Do not use the command pointer after executing the command.
            (closes vim/vim#9318)
205f29c3e9

src/nvim/ex_docmd.c

@@ -6230,7 +6230,6 @@ static void do_ucmd(exarg_T *eap)
   size_t split_len = 0;
   char_u *split_buf = NULL;
   ucmd_T *cmd;
-  const sctx_T save_current_sctx = current_sctx;
 
   if (eap->cmdidx == CMD_USER) {
     cmd = USER_CMD(eap->useridx);
@@ -6320,12 +6319,19 @@ static void do_ucmd(exarg_T *eap)
     buf = xmalloc(totlen + 1);
   }
 
+  sctx_T save_current_sctx;
+  bool restore_current_sctx = false;
   if ((cmd->uc_argt & EX_KEEPSCRIPT) == 0) {
+    restore_current_sctx = true;
+    save_current_sctx = current_sctx;
     current_sctx.sc_sid = cmd->uc_script_ctx.sc_sid;
   }
   (void)do_cmdline(buf, eap->getline, eap->cookie,
                    DOCMD_VERBOSE|DOCMD_NOWAIT|DOCMD_KEYTYPED);
-  if ((cmd->uc_argt & EX_KEEPSCRIPT) == 0) {
+
+  // Careful: Do not use "cmd" here, it may have become invalid if a user
+  // command was added.
+  if (restore_current_sctx) {
     current_sctx = save_current_sctx;
   }
   xfree(buf);

src/nvim/testdir/test_usercommands.vim

@@ -572,4 +572,24 @@ func Test_delcommand_buffer()
   call assert_equal(0, exists(':Global'))
 endfunc
 
+func DefCmd(name)
+  if len(a:name) > 30
+    return
+  endif
+  exe 'command ' .. a:name .. ' call DefCmd("' .. a:name .. 'x")'
+  echo a:name
+  exe a:name
+endfunc
+
+func Test_recursive_define()
+  call DefCmd('Command')
+
+  let name = 'Command'
+  while len(name) < 30
+    exe 'delcommand ' .. name
+    let name ..= 'x'
+  endwhile
+endfunc
+
+
 " vim: shiftwidth=2 sts=2 expandtab