vim-patch:8.2.0381: using freed memory with :lvimgrep and autocommand

Problem: Using freed memory with :lvimgrep and autocommand. (extracted from POC by Dominique Pelle) Solution: Avoid deleting a dummy buffer used in a window. (closes vim/vim#5777) 2573af3519
2025-10-17 15:21:47 +00:00 · 2020-03-14 13:41:42 -04:00
parent e892dde369
commit 7ef2677ca6
2 changed files with 31 additions and 1 deletions
--- a/src/nvim/quickfix.c
+++ b/src/nvim/quickfix.c
@@ -5134,6 +5134,7 @@ theend:
 // Restore current working directory to "dirname_start" if they differ, taking
 // into account whether it is set locally or globally.
 static void restore_start_dir(char_u *dirname_start)
+  FUNC_ATTR_NONNULL_ALL
 {
  char_u *dirname_now = xmalloc(MAXPATHL);

@@ -5251,8 +5252,29 @@ load_dummy_buffer (
 // directory to "dirname_start" prior to returning, if autocmds or the
 // 'autochdir' option have changed it.
 static void wipe_dummy_buffer(buf_T *buf, char_u *dirname_start)
+  FUNC_ATTR_NONNULL_ALL
 {
-  if (curbuf != buf) {          // safety check
+  // If any autocommand opened a window on the dummy buffer, close that
+  // window.  If we can't close them all then give up.
+  while (buf->b_nwindows > 0) {
+    bool did_one = false;
+
+    if (firstwin->w_next != NULL) {
+      for (win_T *wp = firstwin; wp != NULL; wp = wp->w_next) {
+        if (wp->w_buffer == buf) {
+          if (win_close(wp, false) == OK) {
+            did_one = true;
+          }
+          break;
+        }
+      }
+    }
+    if (!did_one) {
+      return;
+    }
+  }
+
+  if (curbuf != buf && buf->b_nwindows == 0) {  // safety check
    cleanup_T cs;

    // Reset the error/interrupt/exception state here so that aborting()