vim-patch:7.4.1647

Problem:    Using freed memory after setqflist() and ":caddbuffer".  (Dominique)
Solution:   Set qf_ptr when adding the first item to the quickfix list.

8b20179c65

src/nvim/quickfix.c

@@ -910,6 +910,8 @@ static int qf_add_entry(qf_info_T *qi, qfline_T **prevp, char_u *dir,
   if (qi->qf_lists[qi->qf_curlist].qf_count == 0) {
     /* first element in the list */
     qi->qf_lists[qi->qf_curlist].qf_start = qfp;
+    qi->qf_lists[qi->qf_curlist].qf_ptr = qfp;
+    qi->qf_lists[qi->qf_curlist].qf_index = 0;
     qfp->qf_prev = qfp;         /* first element points to itself */
   } else {
     assert(*prevp);
@@ -3621,7 +3623,9 @@ int set_errorlist(win_T *wp, list_T *list, int action, char_u *title)
   else
     qi->qf_lists[qi->qf_curlist].qf_nonevalid = FALSE;
   qi->qf_lists[qi->qf_curlist].qf_ptr = qi->qf_lists[qi->qf_curlist].qf_start;
-  qi->qf_lists[qi->qf_curlist].qf_index = 1;
+  if (qi->qf_lists[qi->qf_curlist].qf_count > 0) {
+    qi->qf_lists[qi->qf_curlist].qf_index = 1;
+  }
 
   qf_update_buffer(qi);
 

src/nvim/version.c

@@ -797,7 +797,7 @@ static int included_patches[] = {
   // 1650,
   1649,
   1648,
-  // 1647,
+  1647,
   // 1646 NA
   // 1645,
   // 1644,

test/functional/legacy/quickfix_spec.lua

@@ -443,6 +443,17 @@ describe('helpgrep', function()
 
         augroup! testgroup
       endfunc
+
+      func Test_caddbuffer_to_empty()
+        helpgr quickfix
+        call setqflist([], 'r')
+        cad
+        call assert_fails('cn', 'E553:')
+        " Upstream calls quit! here to verify vim is still
+        " running, but that will be covered by the
+        " expected_empty() call in the busted test
+        " quit!
+      endfunc
       ]])
   end)
 
@@ -522,6 +533,11 @@ describe('helpgrep', function()
     call('XquickfixChangedByAutocmd', 'l')
     expected_empty()
   end)
+
+  it('does not crash after using caddbuffer with an empty qf list', function()
+    call('Test_caddbuffer_to_empty')
+    expected_empty()
+  end)
 end)
 
 describe('errorformat', function()