mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2026-04-02 05:39:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(window): win_move_after UAF from naughty autocmds (#37065)

Browse Source 
Problem: use-after-free in win_move_after if win_enter autocommands free win1/2.
Solution: set w_pos_changed before calling win_enter.
This commit is contained in:
Sean Dewar
2025-12-21 20:31:05 +00:00
committed by GitHub
parent a2b9720939
commit d1189ea508
2 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/nvim/window.c
View File

@@ -2092,10 +2092,10 @@ void win_move_after(win_T *win1, win_T *win2)
win_comp_pos(); // recompute w_winrow for all windows win_comp_pos(); // recompute w_winrow for all windows
redraw_later(curwin, UPD_NOT_VALID); redraw_later(curwin, UPD_NOT_VALID);
} }
win_enter(win1, false);
win1->w_pos_changed = true; win1->w_pos_changed = true;
win2->w_pos_changed = true; win2->w_pos_changed = true;
win_enter(win1, false);
} }
/// Compute maximum number of windows that can fit within "height" in frame "fr". /// Compute maximum number of windows that can fit within "height" in frame "fr".

16
test/functional/autocmd/autocmd_spec.lua
View File

@@ -715,4 +715,20 @@ describe('autocmd', function()
vim.cmd "tabnew" vim.cmd "tabnew"
]] ]]
end) end)
it('no use-after-free from win_enter autocommands in win_move_after', function()
exec [[
split foo
split bar
lcd ..
wincmd b
]]
eq(fn.winnr('$'), fn.winnr())
-- Using DirChanged as Enter/Leave autocmds are blocked by :ball here.
exec [[
autocmd DirChanged * ++once split flarb | only!
ball
]]
eq('flarb', fn.bufname())
end)
end) end)