fix(terminal): possible heap-use-after-free during Nvim exit

Usually, terminal_close() calls refresh_terminal(), which allocates the scrollback buffer, and term_may_alloc_scrollback() in terminal_open() won't dereference the buffer. However, refresh_terminal() is not called during Nvim exit, in which case a heap-use-after-free may happen if TermOpen wipes buffer. Check for non-NULL buf_handle to avoid that.
2026-03-31 04:42:03 +00:00 · 2026-01-27 13:12:15 +08:00
parent b4039ec0b0
commit 9540e7470b
2 changed files with 11 additions and 1 deletions
--- a/src/nvim/terminal.c
+++ b/src/nvim/terminal.c
@@ -566,7 +566,7 @@ void terminal_open(Terminal **termpp, buf_T *buf, TerminalOptions opts)

  aucmd_restbuf(&aco);

-  if (*termpp == NULL) {
+  if (*termpp == NULL || term->buf_handle == 0) {
    return;  // Terminal has already been destroyed.
  }

--- a/test/functional/terminal/channel_spec.lua
+++ b/test/functional/terminal/channel_spec.lua
@@ -213,6 +213,16 @@ describe('no crash when TermOpen autocommand', function()
    ]])
    assert_alive()
  end)
+
+  it('wipes buffer when using jobstart(…,{term=true}) during Nvim exit', function()
+    n.expect_exit(n.exec_lua, function()
+      vim.schedule(function()
+        vim.fn.jobstart(term_args, { term = true })
+      end)
+      vim.cmd('autocmd TermOpen * bwipe!')
+      vim.cmd('qall!')
+    end)
+  end)
 end)

 describe('nvim_open_term', function()