patch 9.1.2079: use-after-free with 'qftf' wiping buffer

Problem:  use-after-free with 'quickfixtextfunc' wiping buffer
          (henices)
Solution: Evaluate 'quickfixtextfunc' with textlock enabled.

closes: #19142

Signed-off-by: Christian Brabandt <cb@256bit.org>

runtime/doc/options.txt

@@ -6973,6 +6973,9 @@ A jump table for the options with a short description can be found at |Q_op|.
 	|lambda| or a |Funcref|.  See |option-value-function| for more
 	information.
 
+	It is not allowed to change text or jump to another window while
+	evaluating 'qftf' |textlock|.
+
 	This option cannot be set from a |modeline| or in the |sandbox|, for
 	security reasons.
 

src/quickfix.c

@@ -5097,6 +5097,7 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx)
 	args[0].vval.v_dict = d;
 
 	qftf_list = NULL;
+	textlock++;
 	if (call_callback(cb, 0, &rettv, 1, args) != FAIL)
 	{
 	    if (rettv.v_type == VAR_LIST)
@@ -5106,6 +5107,7 @@ call_qftf_func(qf_list_T *qfl, int qf_winid, long start_idx, long end_idx)
 	    }
 	    clear_tv(&rettv);
 	}
+	textlock--;
 	dict_unref(d);
     }
 

src/testdir/test_quickfix.vim

@@ -6969,4 +6969,27 @@ func Test_quickfix_restore_current_win()
   bw! Xb
 endfunc
 
+func Test_quickfixtextfunc_wipes_buffer()
+  let g:crash=""
+  new
+  fu QFexpr(dummy)
+    bw
+  endfu
+  try
+    set quickfixtextfunc=QFexpr
+    lad "['0:4:e']"
+    lw
+  catch /^Vim\%((\S\+)\)\=:E565:/
+    let g:crash='caught'
+  endtry
+  " close location list window
+  bw
+  delfunc QFexpr
+  set quickfixtextfunc=
+  call assert_equal('caught', g:crash)
+  unlet g:crash
+  " close the newly opened window
+  bw
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

src/version.c

@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2079,
 /**/
     2078,
 /**/