From c784ffb30892050b9002df93cc84a5f68a8c872c Mon Sep 17 00:00:00 2001 From: Eliseo Martínez Date: Fri, 20 Feb 2015 12:14:27 +0100 Subject: Fix warnings: window.c: close_last_window_tabpage(): Use after free: RI. Problem : Use after free @ 1795. Diagnostic : Real issue. Rationale : prev_curtab can in fact be freed as a result of call `win_close_othertab(win, free_buf, prev_curtab);`, but it's later used at `sprintf(..., tabpage_index(prev_curtab));`. This was introduced at 3ffc5d81c34cfdd535573a50790690c88e4324bb. Resolution : Move prev_idx calculation before the call freeing prev_curtab. --- src/nvim/window.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/nvim/window.c b/src/nvim/window.c index e51ef670da..1e8de3ce4f 100644 --- a/src/nvim/window.c +++ b/src/nvim/window.c @@ -1779,6 +1779,10 @@ static int close_last_window_tabpage(win_T *win, int free_buf, tabpage_T *prev_c goto_tabpage_tp(alt_tabpage(), FALSE, TRUE); redraw_tabline = TRUE; + // save index for tabclosed event + char_u prev_idx[NUMBUFLEN]; + sprintf((char *)prev_idx, "%i", tabpage_index(prev_curtab)); + /* Safety check: Autocommands may have closed the window when jumping * to the other tab page. */ if (valid_tabpage(prev_curtab) && prev_curtab->tp_firstwin == win) { @@ -1790,8 +1794,6 @@ static int close_last_window_tabpage(win_T *win, int free_buf, tabpage_T *prev_c } /* Since goto_tabpage_tp above did not trigger *Enter autocommands, do * that now. */ - char_u prev_idx[NUMBUFLEN]; - sprintf((char *)prev_idx, "%i", tabpage_index(prev_curtab)); apply_autocmds(EVENT_TABCLOSED, prev_idx, prev_idx, FALSE, curbuf); apply_autocmds(EVENT_WINENTER, NULL, NULL, FALSE, curbuf); apply_autocmds(EVENT_TABENTER, NULL, NULL, FALSE, curbuf); -- cgit