Fix warnings: window.c: close_last_window_tabpage(): Use after free: RI.

Problem    : Use after free @ 1795.
Diagnostic : Real issue.
Rationale  : prev_curtab can in fact be freed as a result of call
             `win_close_othertab(win, free_buf, prev_curtab);`, but it's
             later used at
             `sprintf(..., tabpage_index(prev_curtab));`.
             This was introduced at
             3ffc5d81c34cfdd535573a50790690c88e4324bb.
Resolution : Move prev_idx calculation before the call freeing
             prev_curtab.

1 files changed, 4 insertions, 2 deletions

diff --git a/src/nvim/window.c b/src/nvim/window.c
index e51ef670da..1e8de3ce4f 100644
--- a/src/nvim/window.c
+++ b/src/nvim/window.c
@@ -1779,6 +1779,10 @@ static int close_last_window_tabpage(win_T *win, int free_buf, tabpage_T *prev_c
   goto_tabpage_tp(alt_tabpage(), FALSE, TRUE);
   redraw_tabline = TRUE;
 
+  // save index for tabclosed event
+  char_u prev_idx[NUMBUFLEN];
+  sprintf((char *)prev_idx, "%i", tabpage_index(prev_curtab));
+
   /* Safety check: Autocommands may have closed the window when jumping
    * to the other tab page. */
   if (valid_tabpage(prev_curtab) && prev_curtab->tp_firstwin == win) {
@@ -1790,8 +1794,6 @@ static int close_last_window_tabpage(win_T *win, int free_buf, tabpage_T *prev_c
   }
   /* Since goto_tabpage_tp above did not trigger *Enter autocommands, do
    * that now. */
-  char_u prev_idx[NUMBUFLEN];
-  sprintf((char *)prev_idx, "%i", tabpage_index(prev_curtab));
   apply_autocmds(EVENT_TABCLOSED, prev_idx, prev_idx, FALSE, curbuf);
   apply_autocmds(EVENT_WINENTER, NULL, NULL, FALSE, curbuf);
   apply_autocmds(EVENT_TABENTER, NULL, NULL, FALSE, curbuf);