From caa33aaaf8b044cf3a8311213d0841d2d9e591a5 Mon Sep 17 00:00:00 2001
From: James McCoy <jamessan@jamessan.com>
Date: Sat, 12 Nov 2016 14:18:29 -0500
Subject: [PATCH] vim-patch:7.4.1647

Problem:    Using freed memory after setqflist() and ":caddbuffer".  (Dominique)
Solution:   Set qf_ptr when adding the first item to the quickfix list.

https://github.com/vim/vim/commit/8b20179c657b4266dff115486ca68c6a50324071
---
 src/nvim/quickfix.c                      |  6 +++++-
 src/nvim/version.c                       |  2 +-
 test/functional/legacy/quickfix_spec.lua | 16 ++++++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/nvim/quickfix.c b/src/nvim/quickfix.c
index 71fcb5e60f..6bb863985e 100644
--- a/src/nvim/quickfix.c
+++ b/src/nvim/quickfix.c
@@ -910,6 +910,8 @@ static int qf_add_entry(qf_info_T *qi, qfline_T **prevp, char_u *dir,
   if (qi->qf_lists[qi->qf_curlist].qf_count == 0) {
     /* first element in the list */
     qi->qf_lists[qi->qf_curlist].qf_start = qfp;
+    qi->qf_lists[qi->qf_curlist].qf_ptr = qfp;
+    qi->qf_lists[qi->qf_curlist].qf_index = 0;
     qfp->qf_prev = qfp;         /* first element points to itself */
   } else {
     assert(*prevp);
@@ -3621,7 +3623,9 @@ int set_errorlist(win_T *wp, list_T *list, int action, char_u *title)
   else
     qi->qf_lists[qi->qf_curlist].qf_nonevalid = FALSE;
   qi->qf_lists[qi->qf_curlist].qf_ptr = qi->qf_lists[qi->qf_curlist].qf_start;
-  qi->qf_lists[qi->qf_curlist].qf_index = 1;
+  if (qi->qf_lists[qi->qf_curlist].qf_count > 0) {
+    qi->qf_lists[qi->qf_curlist].qf_index = 1;
+  }
 
   qf_update_buffer(qi);
 
diff --git a/src/nvim/version.c b/src/nvim/version.c
index 69438c50d0..7e88672e69 100644
--- a/src/nvim/version.c
+++ b/src/nvim/version.c
@@ -797,7 +797,7 @@ static int included_patches[] = {
   // 1650,
   1649,
   1648,
-  // 1647,
+  1647,
   // 1646 NA
   // 1645,
   // 1644,
diff --git a/test/functional/legacy/quickfix_spec.lua b/test/functional/legacy/quickfix_spec.lua
index 480e046f55..fa9ddc78ae 100644
--- a/test/functional/legacy/quickfix_spec.lua
+++ b/test/functional/legacy/quickfix_spec.lua
@@ -443,6 +443,17 @@ describe('helpgrep', function()
 
         augroup! testgroup
       endfunc
+
+      func Test_caddbuffer_to_empty()
+        helpgr quickfix
+        call setqflist([], 'r')
+        cad
+        call assert_fails('cn', 'E553:')
+        " Upstream calls quit! here to verify vim is still
+        " running, but that will be covered by the
+        " expected_empty() call in the busted test
+        " quit!
+      endfunc
       ]])
   end)
 
@@ -522,6 +533,11 @@ describe('helpgrep', function()
     call('XquickfixChangedByAutocmd', 'l')
     expected_empty()
   end)
+
+  it('does not crash after using caddbuffer with an empty qf list', function()
+    call('Test_caddbuffer_to_empty')
+    expected_empty()
+  end)
 end)
 
 describe('errorformat', function()