From ff6b8f54359037790b300cb06a025f84f11d829a Mon Sep 17 00:00:00 2001
From: "Justin M. Keyes" <justinkz@gmail.com>
Date: Sat, 18 Jun 2022 18:53:12 +0200
Subject: fix(terminal): coverity USE_AFTER_FREE #18978

Problem:
Coverity reports use after free:

    *** CID 352784:  Memory - illegal accesses  (USE_AFTER_FREE)
    /src/nvim/buffer.c: 1508 in set_curbuf()
    1502         if (old_tw != curbuf->b_p_tw) {
    1503           check_colorcolumn(curwin);
    1504         }
    1505       }
    1506
    1507       if (bufref_valid(&prevbufref) && prevbuf->terminal != NULL) {
    >>>     CID 352784:  Memory - illegal accesses  (USE_AFTER_FREE)
    >>>     Calling "terminal_check_size" dereferences freed pointer "prevbuf->terminal".
    1508         terminal_check_size(prevbuf->terminal);
    1509       }
    1510     }
    1511
    1512     /// Enter a new current buffer.
    1513     /// Old curbuf must have been abandoned already!  This also means "curbuf" may

Solution:
Change terminal_destroy and terminal_close to set caller storage to NULL,
similar to XFREE_CLEAR. This aligns with the pattern found already in:
terminal_destroy e897ccad3eb1e
term_delayed_free 3e59c1e20d605
---
 src/nvim/api/vim.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'src/nvim/api')

diff --git a/src/nvim/api/vim.c b/src/nvim/api/vim.c
index a60a069fae..3a24f2b405 100644
--- a/src/nvim/api/vim.c
+++ b/src/nvim/api/vim.c
@@ -1025,8 +1025,7 @@ static void term_resize(uint16_t width, uint16_t height, void *data)
 static void term_close(void *data)
 {
   Channel *chan = data;
-  terminal_destroy(chan->term);
-  chan->term = NULL;
+  terminal_destroy(&chan->term);
   api_free_luaref(chan->stream.internal.cb);
   chan->stream.internal.cb = LUA_NOREF;
   channel_decref(chan);
-- 
cgit