From 9540e7470beb1fce987c411564effe6625fd0528 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Tue, 27 Jan 2026 13:12:15 +0800 Subject: [PATCH] fix(terminal): possible heap-use-after-free during Nvim exit Usually, terminal_close() calls refresh_terminal(), which allocates the scrollback buffer, and term_may_alloc_scrollback() in terminal_open() won't dereference the buffer. However, refresh_terminal() is not called during Nvim exit, in which case a heap-use-after-free may happen if TermOpen wipes buffer. Check for non-NULL buf_handle to avoid that. --- src/nvim/terminal.c | 2 +- test/functional/terminal/channel_spec.lua | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/nvim/terminal.c b/src/nvim/terminal.c index 1053c43b7e..1c9457b671 100644 --- a/src/nvim/terminal.c +++ b/src/nvim/terminal.c @@ -566,7 +566,7 @@ void terminal_open(Terminal **termpp, buf_T *buf, TerminalOptions opts) aucmd_restbuf(&aco); - if (*termpp == NULL) { + if (*termpp == NULL || term->buf_handle == 0) { return; // Terminal has already been destroyed. } diff --git a/test/functional/terminal/channel_spec.lua b/test/functional/terminal/channel_spec.lua index d18e8cc11e..924909f2d2 100644 --- a/test/functional/terminal/channel_spec.lua +++ b/test/functional/terminal/channel_spec.lua @@ -213,6 +213,16 @@ describe('no crash when TermOpen autocommand', function() ]]) assert_alive() end) + + it('wipes buffer when using jobstart(…,{term=true}) during Nvim exit', function() + n.expect_exit(n.exec_lua, function() + vim.schedule(function() + vim.fn.jobstart(term_args, { term = true }) + end) + vim.cmd('autocmd TermOpen * bwipe!') + vim.cmd('qall!') + end) + end) end) describe('nvim_open_term', function()