mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-10-26 12:27:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(api): avoid open_win UAF if target buf deleted by autocmds

Browse Source 
Problem: WinNew and win_enter autocommands can delete the target buffer to
switch to, causing a heap-use-after-free.

Solution: store a bufref to the buffer, check it before attempting to switch.
This commit is contained in:
Sean Dewar
2024-02-11 20:15:47 +00:00
committed by Sean Dewar
parent e55a502ed4
commit b1e24f240b
2 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
test/functional/api/window_spec.lua
View File

@@ -1581,6 +1581,14 @@ describe('API/win', function()
api.nvim_open_win(api.nvim_create_buf(true, true), false, { split = 'left' })
eq(true, eval('fired'))
end)
it('no heap-use-after-free if target buffer deleted by autocommands', function()
local cur_buf = api.nvim_get_current_buf()
local new_buf = api.nvim_create_buf(true, true)
command('autocmd WinNew * ++once call nvim_buf_delete(' .. new_buf .. ', #{force: 1})')
api.nvim_open_win(new_buf, true, { split = 'left' })
eq(cur_buf, api.nvim_get_current_buf())
end)
end)
describe('set_config', function()