fix(terminal): heap UAF from autocmds when entering #38316

Problem: heap-use-after-free possible when entering Terminal mode if autocommands close the terminal. Solution: set the refcount. Skip to the end if we must close the terminal.
2026-04-24 16:25:40 +00:00 · 2026-03-15 21:38:25 +00:00
parent 0ca9849387
commit 1c57e4cb4f
2 changed files with 20 additions and 4 deletions
--- a/test/functional/terminal/buffer_spec.lua
+++ b/test/functional/terminal/buffer_spec.lua
@@ -1146,6 +1146,16 @@ describe(':terminal buffer', function()
    eq(false, api.nvim_buf_is_valid(term_buf))
  end)

+  it('no heap-use-after-free from autocmds when entering terminal mode', function()
+    local chans = api.nvim_list_chans()
+    local buf = api.nvim_get_current_buf()
+    api.nvim_open_term(0, {})
+    command('autocmd TermEnter,ModeChanged * ++once bwipeout!')
+    feed('i')
+    eq(false, api.nvim_buf_is_valid(buf))
+    eq(chans, api.nvim_list_chans())
+  end)
+
  local enew_screen = [[
    ^                                                  |
    {1:~                                                 }|*5