From 589f418fceadfbbc10a6d1d37dd5d2ed026342b5 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 24 Jun 2022 06:30:47 +0800
Subject: [PATCH] vim-patch:8.2.4977: memory access error when substitute
 expression changes window

Problem:    Memory access error when substitute expression changes window.
Solution:   Disallow changing window in substitute expression.
https://github.com/vim/vim/commit/e2bd8600b873d2cd1f9d667c28cba8b1dba18839

"textwinlock" was renamed back to "textlock" in patch 8.2.5029.
---
 src/nvim/ex_cmds.c                   |  7 +++++++
 src/nvim/testdir/test_substitute.vim | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/src/nvim/ex_cmds.c b/src/nvim/ex_cmds.c
index 73e6e4a62f..7f929eec3e 100644
--- a/src/nvim/ex_cmds.c
+++ b/src/nvim/ex_cmds.c
@@ -4069,11 +4069,16 @@ static int do_sub(exarg_T *eap, proftime_T timeout, long cmdpreview_ns, handle_T
           // Save flags for recursion.  They can change for e.g.
           // :s/^/\=execute("s#^##gn")
           subflags_T subflags_save = subflags;
+
+          // Disallow changing text or switching window in an expression.
+          textlock++;
           // get length of substitution part
           sublen = vim_regsub_multi(&regmatch,
                                     sub_firstlnum - regmatch.startpos[0].lnum,
                                     (char_u *)sub, (char_u *)sub_firstline, 0,
                                     REGSUB_BACKSLASH | (p_magic ? REGSUB_MAGIC : 0));
+          textlock--;
+
           // If getting the substitute string caused an error, don't do
           // the replacement.
           // Don't keep flags set by a recursive call
@@ -4111,10 +4116,12 @@ static int do_sub(exarg_T *eap, proftime_T timeout, long cmdpreview_ns, handle_T
           int start_col = new_end - new_start;
           current_match.start.col = start_col;
 
+          textlock++;
           (void)vim_regsub_multi(&regmatch,
                                  sub_firstlnum - regmatch.startpos[0].lnum,
                                  (char_u *)sub, (char_u *)new_end, sublen,
                                  REGSUB_COPY | REGSUB_BACKSLASH | (p_magic ? REGSUB_MAGIC : 0));
+          textlock--;
           sub_nsubs++;
           did_sub = true;
 
diff --git a/src/nvim/testdir/test_substitute.vim b/src/nvim/testdir/test_substitute.vim
index c45f1e7ec6..2c24ce436f 100644
--- a/src/nvim/testdir/test_substitute.vim
+++ b/src/nvim/testdir/test_substitute.vim
@@ -838,6 +838,19 @@ func Test_using_old_sub()
   set nocompatible
 endfunc
 
+" This was switching windows in between computing the length and using it.
+func Test_sub_change_window()
+  silent! lfile
+  sil! norm o0000000000000000000000000000000000000000000000000000
+  func Repl()
+    lopen
+  endfunc
+  silent!  s/\%')/\=Repl()
+  bwipe!
+  bwipe!
+  delfunc Repl
+endfunc
+
 " Test for the 2-letter and 3-letter :substitute commands
 func Test_substitute_short_cmd()
   new