Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
patch 8.2.4281: using freed memory with :lopen and :bwipe
Problem:    Using freed memory with :lopen and :bwipe.
Solution:   Do not use a wiped out buffer.
  • Loading branch information
brammool committed Feb 1, 2022
1 parent eb4a9ba commit 9b4a80a
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 4 deletions.
14 changes: 10 additions & 4 deletions src/buffer.c
Expand Up @@ -1706,6 +1706,7 @@ set_curbuf(buf_T *buf, int action)
#endif
bufref_T newbufref;
bufref_T prevbufref;
int valid;

setpcmark();
if ((cmdmod.cmod_flags & CMOD_KEEPALT) == 0)
Expand Down Expand Up @@ -1763,13 +1764,19 @@ set_curbuf(buf_T *buf, int action)
// An autocommand may have deleted "buf", already entered it (e.g., when
// it did ":bunload") or aborted the script processing.
// If curwin->w_buffer is null, enter_buffer() will make it valid again
if ((buf_valid(buf) && buf != curbuf
valid = buf_valid(buf);
if ((valid && buf != curbuf
#ifdef FEAT_EVAL
&& !aborting()
#endif
) || curwin->w_buffer == NULL)
{
enter_buffer(buf);
// If the buffer is not valid but curwin->w_buffer is NULL we must
// enter some buffer. Using the last one is hopefully OK.
if (!valid)
enter_buffer(lastbuf);
else
enter_buffer(buf);
#ifdef FEAT_SYN_HL
if (old_tw != curbuf->b_p_tw)
check_colorcolumn(curwin);
Expand Down Expand Up @@ -2288,8 +2295,7 @@ free_buf_options(
clear_string_option(&buf->b_p_vsts);
vim_free(buf->b_p_vsts_nopaste);
buf->b_p_vsts_nopaste = NULL;
vim_free(buf->b_p_vsts_array);
buf->b_p_vsts_array = NULL;
VIM_CLEAR(buf->b_p_vsts_array);
clear_string_option(&buf->b_p_vts);
VIM_CLEAR(buf->b_p_vts_array);
#endif
Expand Down
17 changes: 17 additions & 0 deletions src/testdir/test_quickfix.vim
Expand Up @@ -979,6 +979,7 @@ func Test_locationlist_curwin_was_closed()
call assert_fails('lrewind', 'E924:')

augroup! testgroup
delfunc R
endfunc

func Test_locationlist_cross_tab_jump()
Expand Down Expand Up @@ -5835,4 +5836,20 @@ func Test_two_qf_windows()
%bw!
endfunc

" Weird sequence of commands that caused entering a wiped-out buffer
func Test_lopen_bwipe()
func R()
silent! tab lopen
e x
silent! lfile
endfunc

cal R()
cal R()
cal R()
bw!
delfunc R
endfunc


" vim: shiftwidth=2 sts=2 expandtab
2 changes: 2 additions & 0 deletions src/version.c
Expand Up @@ -746,6 +746,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
/**/
4281,
/**/
4280,
/**/
Expand Down

0 comments on commit 9b4a80a

Please sign in to comment.