From eaae55cd29c08d6d541096ea3a3f55d519d9cceb Mon Sep 17 00:00:00 2001
From: Yegappan Lakshmanan <yegappan@yahoo.com>
Date: Tue, 3 Nov 2020 07:04:15 -0800
Subject: [PATCH 1/3] Validate the buffer pointer before derefencing it. Free
 the sign type name

---
 src/netbeans.c                | 10 ++++------
 src/testdir/test_netbeans.vim |  1 +
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/netbeans.c b/src/netbeans.c
index ccff3a5367b3d2..1fd13d72b7e01d 100644
--- a/src/netbeans.c
+++ b/src/netbeans.c
@@ -572,7 +572,7 @@ nb_free(void)
 	buf = buf_list[i];
 	vim_free(buf.displayname);
 	vim_free(buf.signmap);
-	if (buf.bufp != NULL)
+	if (buf.bufp != NULL && buf_valid(buf.bufp))
 	{
 	    buf.bufp->b_netbeans_file = FALSE;
 	    buf.bufp->b_was_netbeans_file = FALSE;
@@ -1943,15 +1943,13 @@ nb_do_cmd(
 	    if (STRLEN(fg) > MAX_COLOR_LENGTH || STRLEN(bg) > MAX_COLOR_LENGTH)
 	    {
 		emsg("E532: highlighting color name too long in defineAnnoType");
-		vim_free(typeName);
+		VIM_CLEAR(typeName);
 		parse_error = TRUE;
 	    }
 	    else if (typeName != NULL && tooltip != NULL && glyphFile != NULL)
 		addsigntype(buf, typeNum, typeName, tooltip, glyphFile, fg, bg);
-	    else
-		vim_free(typeName);
 
-	    // don't free typeName; it's used directly in addsigntype()
+	    vim_free(typeName);
 	    vim_free(fg);
 	    vim_free(bg);
 	    vim_free(tooltip);
@@ -3240,7 +3238,7 @@ addsigntype(
 	    }
 	}
 
-	globalsignmap[i] = (char *)typeName;
+	globalsignmap[i] = vim_strsave((char *)typeName);
 	globalsignmapused = i + 1;
     }
 
diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim
index 629c31af9e983b..ea845bd674921f 100644
--- a/src/testdir/test_netbeans.vim
+++ b/src/testdir/test_netbeans.vim
@@ -845,6 +845,7 @@ func Nb_quit_with_conn(port)
   call writefile([], "Xnetbeans")
   let after =<< trim END
     source shared.vim
+    set cpo&vim
 
     func ReadXnetbeans()
       let l = readfile("Xnetbeans")

From 1a2ff85f6370d75f44a7726c8018a0b914b0818b Mon Sep 17 00:00:00 2001
From: Yegappan Lakshmanan <yegappan@yahoo.com>
Date: Tue, 3 Nov 2020 07:30:41 -0800
Subject: [PATCH 2/3] Use the right type for cast

---
 src/netbeans.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/netbeans.c b/src/netbeans.c
index 1fd13d72b7e01d..1a565df003498e 100644
--- a/src/netbeans.c
+++ b/src/netbeans.c
@@ -3238,7 +3238,7 @@ addsigntype(
 	    }
 	}
 
-	globalsignmap[i] = vim_strsave((char *)typeName);
+	globalsignmap[i] = (char *)vim_strsave(typeName);
 	globalsignmapused = i + 1;
     }
 

From ad69d43a5c5c058e00671df6ba2c8f524f9842cd Mon Sep 17 00:00:00 2001
From: Yegappan Lakshmanan <yegappan@yahoo.com>
Date: Thu, 5 Nov 2020 22:45:08 -0800
Subject: [PATCH 3/3] Add a test for reproducing the ASAN error with the
 netbeans interface

---
 src/testdir/test_netbeans.vim | 46 ++++++++++++++++++++++++++++++++---
 1 file changed, 43 insertions(+), 3 deletions(-)

diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim
index ea845bd674921f..490e528c43048a 100644
--- a/src/testdir/test_netbeans.vim
+++ b/src/testdir/test_netbeans.vim
@@ -34,9 +34,9 @@ endfunc
 " Read the "Xnetbeans" file and filter out geometry messages.
 func ReadXnetbeans()
   let l = readfile("Xnetbeans")
-  " Xnetbeans may include '0:geometry=' messages on GUI environment if window
+  " Xnetbeans may include '0:geometry=' messages in the GUI Vim if the window
   " position, size, or z order are changed.  Remove these messages because
-  " will causes troubles on check.
+  " these message will break the assert for the output.
   return filter(l, 'v:val !~ "^0:geometry="')
 endfunc
 
@@ -388,7 +388,7 @@ func Nb_basic(port)
   call assert_equal('send: 2:defineAnnoType!60 1 "s1" "x" "=>" blue none', l[-1])
   sleep 1m
   call assert_equal({'name': '1', 'texthl': 'NB_s1', 'text': '=>'},
-        \ sign_getdefined()[0])
+        \ sign_getdefined()->get(0, {}))
   let g:last += 3
 
   " defineAnnoType with a long color name
@@ -892,4 +892,44 @@ func Test_nb_quit_with_conn()
   call s:run_server('Nb_quit_with_conn')
 endfunc
 
+func Nb_bwipe_buffer(port)
+  call delete("Xnetbeans")
+  call writefile([], "Xnetbeans")
+
+  " Last line number in the Xnetbeans file. Used to verify the result of the
+  " communication with the netbeans server
+  let g:last = 0
+
+  " Establish the connection with the netbeans server
+  exe 'nbstart :localhost:' .. a:port .. ':bunny'
+  call WaitFor('len(ReadXnetbeans()) > (g:last + 2)')
+  let l = ReadXnetbeans()
+  call assert_equal(['AUTH bunny',
+        \ '0:version=0 "2.5"',
+        \ '0:startupDone=0'], l[-3:])
+  let g:last += 3
+
+  " Open the command buffer to communicate with the server
+  split Xcmdbuf
+  call WaitFor('len(ReadXnetbeans()) > (g:last + 2)')
+  let l = ReadXnetbeans()
+  call assert_equal('0:fileOpened=0 "Xcmdbuf" T F',
+        \ substitute(l[-3], '".*/', '"', ''))
+  call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"',
+        \ substitute(l[-2], '".*/', '"', ''))
+  call assert_equal('1:startDocumentListen!16', l[-1])
+  let g:last += 3
+
+  sleep 10m
+endfunc
+
+" This test used to reference a buffer after it was freed leading to an ASAN
+" error.
+func Test_nb_bwipe_buffer()
+  call s:run_server('Nb_bwipe_buffer')
+  %bwipe!
+  sleep 100m
+  nbclose
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab