From ff6b8f54359037790b300cb06a025f84f11d829a Mon Sep 17 00:00:00 2001
From: "Justin M. Keyes" <justinkz@gmail.com>
Date: Sat, 18 Jun 2022 18:53:12 +0200
Subject: fix(terminal): coverity USE_AFTER_FREE #18978

Problem:
Coverity reports use after free:

    *** CID 352784:  Memory - illegal accesses  (USE_AFTER_FREE)
    /src/nvim/buffer.c: 1508 in set_curbuf()
    1502         if (old_tw != curbuf->b_p_tw) {
    1503           check_colorcolumn(curwin);
    1504         }
    1505       }
    1506
    1507       if (bufref_valid(&prevbufref) && prevbuf->terminal != NULL) {
    >>>     CID 352784:  Memory - illegal accesses  (USE_AFTER_FREE)
    >>>     Calling "terminal_check_size" dereferences freed pointer "prevbuf->terminal".
    1508         terminal_check_size(prevbuf->terminal);
    1509       }
    1510     }
    1511
    1512     /// Enter a new current buffer.
    1513     /// Old curbuf must have been abandoned already!  This also means "curbuf" may

Solution:
Change terminal_destroy and terminal_close to set caller storage to NULL,
similar to XFREE_CLEAR. This aligns with the pattern found already in:
terminal_destroy e897ccad3eb1e
term_delayed_free 3e59c1e20d605
---
 src/nvim/buffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/nvim/buffer.c')

diff --git a/src/nvim/buffer.c b/src/nvim/buffer.c
index 4fb3f66349..f13f6e35ea 100644
--- a/src/nvim/buffer.c
+++ b/src/nvim/buffer.c
@@ -527,7 +527,7 @@ bool close_buffer(win_T *win, buf_T *buf, int action, bool abort_if_last, bool i
   }
 
   if (buf->terminal) {
-    terminal_close(buf->terminal, -1);
+    terminal_close(&buf->terminal, -1);
   }
 
   // Always remove the buffer when there is no file name.
-- 
cgit