fix(window): win_move_after UAF from naughty autocmds (#37065)

Problem: use-after-free in win_move_after if win_enter autocommands free win1/2. Solution: set w_pos_changed before calling win_enter.
2026-04-22 07:15:34 +00:00 · 2025-12-21 20:31:05 +00:00
parent a2b9720939
commit d1189ea508
2 changed files with 18 additions and 2 deletions
--- a/src/nvim/window.c
+++ b/src/nvim/window.c
@@ -2092,10 +2092,10 @@ void win_move_after(win_T *win1, win_T *win2)
    win_comp_pos();  // recompute w_winrow for all windows
    redraw_later(curwin, UPD_NOT_VALID);
  }
-  win_enter(win1, false);
-
  win1->w_pos_changed = true;
  win2->w_pos_changed = true;
+
+  win_enter(win1, false);
 }

 /// Compute maximum number of windows that can fit within "height" in frame "fr".