diff options
| author | Sean Dewar <seandewar@users.noreply.github.com> | 2024-02-11 20:15:47 +0000 |
|---|---|---|
| committer | Sean Dewar <6256228+seandewar@users.noreply.github.com> | 2024-03-08 23:24:03 +0000 |
| commit | b1e24f240baeea80dcf4a3d8453fed0230fb88fd (patch) | |
| tree | a41992d36bc950c8f8f2478f7b477622d2d16e18 /test/functional/api/window_spec.lua | |
| parent | e55a502ed413d2bc8954b5227acfb34c8689f979 (diff) | |
| download | rneovim-b1e24f240baeea80dcf4a3d8453fed0230fb88fd.tar.gz rneovim-b1e24f240baeea80dcf4a3d8453fed0230fb88fd.tar.bz2 rneovim-b1e24f240baeea80dcf4a3d8453fed0230fb88fd.zip | |
fix(api): avoid open_win UAF if target buf deleted by autocmds
Problem: WinNew and win_enter autocommands can delete the target buffer to
switch to, causing a heap-use-after-free.
Solution: store a bufref to the buffer, check it before attempting to switch.
Diffstat (limited to 'test/functional/api/window_spec.lua')
| -rw-r--r-- | test/functional/api/window_spec.lua | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/test/functional/api/window_spec.lua b/test/functional/api/window_spec.lua index e0cb66de41..2f6a02b5d5 100644 --- a/test/functional/api/window_spec.lua +++ b/test/functional/api/window_spec.lua @@ -1581,6 +1581,14 @@ describe('API/win', function() api.nvim_open_win(api.nvim_create_buf(true, true), false, { split = 'left' }) eq(true, eval('fired')) end) + + it('no heap-use-after-free if target buffer deleted by autocommands', function() + local cur_buf = api.nvim_get_current_buf() + local new_buf = api.nvim_create_buf(true, true) + command('autocmd WinNew * ++once call nvim_buf_delete(' .. new_buf .. ', #{force: 1})') + api.nvim_open_win(new_buf, true, { split = 'left' }) + eq(cur_buf, api.nvim_get_current_buf()) + end) end) describe('set_config', function() |