Skip to content

Commit 9b4a80a

Browse files
committed
patch 8.2.4281: using freed memory with :lopen and :bwipe
Problem: Using freed memory with :lopen and :bwipe. Solution: Do not use a wiped out buffer.
1 parent eb4a9ba commit 9b4a80a

File tree

3 files changed

+29
-4
lines changed

3 files changed

+29
-4
lines changed

Diff for: src/buffer.c

+10-4
Original file line numberDiff line numberDiff line change
@@ -1706,6 +1706,7 @@ set_curbuf(buf_T *buf, int action)
17061706
#endif
17071707
bufref_T newbufref;
17081708
bufref_T prevbufref;
1709+
int valid;
17091710

17101711
setpcmark();
17111712
if ((cmdmod.cmod_flags & CMOD_KEEPALT) == 0)
@@ -1763,13 +1764,19 @@ set_curbuf(buf_T *buf, int action)
17631764
// An autocommand may have deleted "buf", already entered it (e.g., when
17641765
// it did ":bunload") or aborted the script processing.
17651766
// If curwin->w_buffer is null, enter_buffer() will make it valid again
1766-
if ((buf_valid(buf) && buf != curbuf
1767+
valid = buf_valid(buf);
1768+
if ((valid && buf != curbuf
17671769
#ifdef FEAT_EVAL
17681770
&& !aborting()
17691771
#endif
17701772
) || curwin->w_buffer == NULL)
17711773
{
1772-
enter_buffer(buf);
1774+
// If the buffer is not valid but curwin->w_buffer is NULL we must
1775+
// enter some buffer. Using the last one is hopefully OK.
1776+
if (!valid)
1777+
enter_buffer(lastbuf);
1778+
else
1779+
enter_buffer(buf);
17731780
#ifdef FEAT_SYN_HL
17741781
if (old_tw != curbuf->b_p_tw)
17751782
check_colorcolumn(curwin);
@@ -2288,8 +2295,7 @@ free_buf_options(
22882295
clear_string_option(&buf->b_p_vsts);
22892296
vim_free(buf->b_p_vsts_nopaste);
22902297
buf->b_p_vsts_nopaste = NULL;
2291-
vim_free(buf->b_p_vsts_array);
2292-
buf->b_p_vsts_array = NULL;
2298+
VIM_CLEAR(buf->b_p_vsts_array);
22932299
clear_string_option(&buf->b_p_vts);
22942300
VIM_CLEAR(buf->b_p_vts_array);
22952301
#endif

Diff for: src/testdir/test_quickfix.vim

+17
Original file line numberDiff line numberDiff line change
@@ -979,6 +979,7 @@ func Test_locationlist_curwin_was_closed()
979979
call assert_fails('lrewind', 'E924:')
980980

981981
augroup! testgroup
982+
delfunc R
982983
endfunc
983984

984985
func Test_locationlist_cross_tab_jump()
@@ -5835,4 +5836,20 @@ func Test_two_qf_windows()
58355836
%bw!
58365837
endfunc
58375838

5839+
" Weird sequence of commands that caused entering a wiped-out buffer
5840+
func Test_lopen_bwipe()
5841+
func R()
5842+
silent! tab lopen
5843+
e x
5844+
silent! lfile
5845+
endfunc
5846+
5847+
cal R()
5848+
cal R()
5849+
cal R()
5850+
bw!
5851+
delfunc R
5852+
endfunc
5853+
5854+
58385855
" vim: shiftwidth=2 sts=2 expandtab

Diff for: src/version.c

+2
Original file line numberDiff line numberDiff line change
@@ -746,6 +746,8 @@ static char *(features[]) =
746746

747747
static int included_patches[] =
748748
{ /* Add new patch number below this line */
749+
/**/
750+
4281,
749751
/**/
750752
4280,
751753
/**/

0 commit comments

Comments
 (0)