From e84c075ad9a8ce1bf5182bd0d4993cd2304cf9e1 Mon Sep 17 00:00:00 2001
From: Jan Edmund Lazo <jan.lazo@mail.utoronto.ca>
Date: Tue, 30 Jun 2020 00:11:18 -0400
Subject: [PATCH] vim-patch:8.2.1095: may use pointer after freeing it

Problem:    May use pointer after freeing it when text properties are used.
Solution:   Update redo buffer before calling ml_replace().
https://github.com/vim/vim/commit/6b949615edac2dd33d5e865be8328561f296b045
---
 src/nvim/spell.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/nvim/spell.c b/src/nvim/spell.c
index 4d8da1ba14..df29124dea 100644
--- a/src/nvim/spell.c
+++ b/src/nvim/spell.c
@@ -2930,8 +2930,6 @@ void spell_suggest(int count)
     memmove(p, line, c);
     STRCPY(p + c, stp->st_word);
     STRCAT(p, sug.su_badptr + stp->st_orglen);
-    ml_replace(curwin->w_cursor.lnum, p, false);
-    curwin->w_cursor.col = c;
 
     // For redo we use a change-word command.
     ResetRedobuff();
@@ -2940,7 +2938,10 @@ void spell_suggest(int count)
         stp->st_wordlen + sug.su_badlen - stp->st_orglen);
     AppendCharToRedobuff(ESC);
 
-    // After this "p" may be invalid.
+    // "p" may be freed here
+    ml_replace(curwin->w_cursor.lnum, p, false);
+    curwin->w_cursor.col = c;
+
     changed_bytes(curwin->w_cursor.lnum, c);
   } else
     curwin->w_cursor = prev_cursor;