patch 9.0.1859: heap-use-after-free in bt_normal()

Problem:  heap-use-after-free in bt_normal()
Solution: check that buffer is still valid

Signed-off-by: Christian Brabandt <cb@256bit.org>

src/buffer.c

@@ -5777,7 +5777,7 @@ bt_normal(buf_T *buf)
 bt_quickfix(buf_T *buf UNUSED)
 {
 #ifdef FEAT_QUICKFIX
-    return buf != NULL && buf->b_p_bt[0] == 'q';
+    return buf != NULL && buf_valid(buf) && buf->b_p_bt[0] == 'q';
 #else
     return FALSE;
 #endif

src/testdir/crash/bt_quickfix1_poc

@@ -0,0 +1,5 @@
+au BufReadPre * exe 'sn' .. expand("<abuf>")
+call writefile([''],'X')
+sil! e X
+call writefile([''],'X')
+sil! e X

src/testdir/test_crash.vim

@@ -49,6 +49,15 @@ func Test_crash1()
 
   call TermWait(buf, 100)
 
+  let file = 'crash/bt_quickfix1_poc'
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+  " clean up
+  call delete('X')
+  " This test takes a bit longer
+  call TermWait(buf, 200)
+
   " clean up
   exe buf .. "bw!"
 
@@ -60,6 +69,7 @@ func Test_crash1()
       \ 'crash 3: [OK]',
       \ 'crash 4: [OK]',
       \ 'crash 5: [OK]',
+      \ 'crash 6: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))

src/version.c

@@ -699,6 +699,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1859,
 /**/
     1858,
 /**/