From c366c944c2d2f46862f8d3a660e52f2735f816ae Mon Sep 17 00:00:00 2001 From: Sean Dewar Date: Wed, 24 Nov 2021 02:48:55 +0000 Subject: vim-patch:8.1.2136: using freed memory with autocmd from fuzzer Problem: using freed memory with autocmd from fuzzer. (Dhiraj Mishra, Dominique Pelle) Solution: Avoid using "wp" after autocommands. (closes vim/vim#5041) https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421 Nvim doesn't use Vim's terminal implementation. Despite this, Nvim has its own *exclusive* way of crashing here. Requires 'winwidth' > winwidth() and 'nowinfixwidth' to crash; adjust the test ('nowfw' is the default, but ensure its disabled anyway). --- src/nvim/testdir/test_autocmd.vim | 11 +++++++++++ src/nvim/window.c | 3 ++- 2 files changed, 13 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/nvim/testdir/test_autocmd.vim b/src/nvim/testdir/test_autocmd.vim index 0c8b8a45d9..1bc9d95f05 100644 --- a/src/nvim/testdir/test_autocmd.vim +++ b/src/nvim/testdir/test_autocmd.vim @@ -1897,6 +1897,17 @@ func Test_autocmd_CmdWinEnter() call delete(filename) endfunc +func Test_autocmd_was_using_freed_memory() + pedit xx + n x + au WinEnter * quit + " Nvim needs large 'winwidth' and 'nowinfixwidth' to crash + set winwidth=99999 nowinfixwidth + split + au! WinEnter + set winwidth& winfixwidth& +endfunc + func Test_FileChangedShell_reload() if !has('unix') return diff --git a/src/nvim/window.c b/src/nvim/window.c index e328ff5467..3e6e42dec2 100644 --- a/src/nvim/window.c +++ b/src/nvim/window.c @@ -4525,6 +4525,7 @@ static void win_enter_ext(win_T *const wp, const int flags) fix_current_dir(); + // Careful: autocommands may close the window and make "wp" invalid if (flags & WEE_TRIGGER_NEW_AUTOCMDS) { apply_autocmds(EVENT_WINNEW, NULL, NULL, false, curbuf); } @@ -4558,7 +4559,7 @@ static void win_enter_ext(win_T *const wp, const int flags) } // set window width to desired minimal value - if (curwin->w_width < p_wiw && !curwin->w_p_wfw && !wp->w_floating) { + if (curwin->w_width < p_wiw && !curwin->w_p_wfw && !curwin->w_floating) { win_setwidth((int)p_wiw); } -- cgit