vim-patch:8.1.2136: using freed memory with autocmd from fuzzer

Problem: using freed memory with autocmd from fuzzer. (Dhiraj Mishra, Dominique Pelle) Solution: Avoid using "wp" after autocommands. (closes vim/vim#5041) ec66c41d84 Nvim doesn't use Vim's terminal implementation. Despite this, Nvim has its own *exclusive* way of crashing here. Requires 'winwidth' > winwidth() and 'nowinfixwidth' to crash; adjust the test ('nowfw' is the default, but ensure its disabled anyway).
2025-02-25 18:55:25 -06:00 · 2021-11-24 02:48:55 +00:00 · 2021-11-24 02:48:55 +00:00 · c366c944c2
commit c366c944c2
parent dd8a4e2c22
2 changed files with 13 additions and 1 deletions
--- a/src/nvim/testdir/test_autocmd.vim
+++ b/src/nvim/testdir/test_autocmd.vim
@ -1897,6 +1897,17 @@ func Test_autocmd_CmdWinEnter()
  call delete(filename)
 endfunc

+func Test_autocmd_was_using_freed_memory()
+  pedit xx
+  n x
+  au WinEnter * quit
+  " Nvim needs large 'winwidth' and 'nowinfixwidth' to crash
+  set winwidth=99999 nowinfixwidth
+  split
+  au! WinEnter
+  set winwidth& winfixwidth&
+endfunc
+
 func Test_FileChangedShell_reload()
  if !has('unix')
    return
--- a/src/nvim/window.c
+++ b/src/nvim/window.c
@ -4525,6 +4525,7 @@ static void win_enter_ext(win_T *const wp, const int flags)

  fix_current_dir();

+  // Careful: autocommands may close the window and make "wp" invalid
  if (flags & WEE_TRIGGER_NEW_AUTOCMDS) {
    apply_autocmds(EVENT_WINNEW, NULL, NULL, false, curbuf);
  }
@ -4558,7 +4559,7 @@ static void win_enter_ext(win_T *const wp, const int flags)
  }

  // set window width to desired minimal value
-  if (curwin->w_width < p_wiw && !curwin->w_p_wfw && !wp->w_floating) {
+  if (curwin->w_width < p_wiw && !curwin->w_p_wfw && !curwin->w_floating) {
    win_setwidth((int)p_wiw);
  }