Fix warnings: window.c: close_last_window_tabpage(): Use after free: RI.

Problem : Use after free @ 1795. Diagnostic : Real issue. Rationale : prev_curtab can in fact be freed as a result of call `win_close_othertab(win, free_buf, prev_curtab);`, but it's later used at `sprintf(..., tabpage_index(prev_curtab));`. This was introduced at 3ffc5d81c3. Resolution : Move prev_idx calculation before the call freeing prev_curtab.
2025-09-11 05:48:17 +00:00 · 2015-02-20 12:14:27 +01:00
parent 56e339c594
commit c784ffb308
1 changed files with 4 additions and 2 deletions
--- a/src/nvim/window.c
+++ b/src/nvim/window.c
@@ -1779,6 +1779,10 @@ static int close_last_window_tabpage(win_T *win, int free_buf, tabpage_T *prev_c
  goto_tabpage_tp(alt_tabpage(), FALSE, TRUE);
  redraw_tabline = TRUE;

+  // save index for tabclosed event
+  char_u prev_idx[NUMBUFLEN];
+  sprintf((char *)prev_idx, "%i", tabpage_index(prev_curtab));
+
  /* Safety check: Autocommands may have closed the window when jumping
   * to the other tab page. */
  if (valid_tabpage(prev_curtab) && prev_curtab->tp_firstwin == win) {
@@ -1790,8 +1794,6 @@ static int close_last_window_tabpage(win_T *win, int free_buf, tabpage_T *prev_c
  }
  /* Since goto_tabpage_tp above did not trigger *Enter autocommands, do
   * that now. */
-  char_u prev_idx[NUMBUFLEN];
-  sprintf((char *)prev_idx, "%i", tabpage_index(prev_curtab));
  apply_autocmds(EVENT_TABCLOSED, prev_idx, prev_idx, FALSE, curbuf);
  apply_autocmds(EVENT_WINENTER, NULL, NULL, FALSE, curbuf);
  apply_autocmds(EVENT_TABENTER, NULL, NULL, FALSE, curbuf);