patch 8.2.0381: using freed memory with :lvimgrep and autocommand

Problem:    Using freed memory with :lvimgrep and autocommand. (extracted from
            POC by Dominique Pelle)
Solution:   Avoid deleting a dummy buffer used in a window. (closes #5777)

diff --git a/src/quickfix.c b/src/quickfix.c
index 7ae489b5d3e38abad8d3a9805b49558d805524ed..f82a187166087d021b00e3dad7968ee80b4e5072 100644 (file)
--- a/src/quickfix.c
+++ b/src/quickfix.c
@@ -6268,7 +6268,26 @@ load_dummy_buffer(
     static void
 wipe_dummy_buffer(buf_T *buf, char_u *dirname_start)
 {
-    if (curbuf != buf)         // safety check
+    // If any autocommand opened a window on the dummy buffer, close that
+    // window.  If we can't close them all then give up.
+    while (buf->b_nwindows > 0)
+    {
+       int         did_one = FALSE;
+       win_T       *wp;
+
+       if (firstwin->w_next != NULL)
+           for (wp = firstwin; wp != NULL; wp = wp->w_next)
+               if (wp->w_buffer == buf)
+               {
+                   if (win_close(wp, FALSE) == OK)
+                       did_one = TRUE;
+                   break;
+               }
+       if (!did_one)
+           return;
+    }
+
+    if (curbuf != buf && buf->b_nwindows == 0) // safety check
     {
 #if defined(FEAT_EVAL)
        cleanup_T   cs;

diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index 2b51b576c0c39d5943a766831caff295602ce734..c1b50631beabd8ec6dd871e9a298bdd6ff6e2683 100644 (file)
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -3684,6 +3684,14 @@ func Test_lvimgrep_crash()
   enew | only
 endfunc
 
+func Test_lvimgrep_crash2()
+  au BufNewFile x sfind
+  call assert_fails('lvimgrep x x', 'E480:')
+  call assert_fails('lvimgrep x x x', 'E480:')
+
+  au! BufNewFile
+endfunc
+
 " Test for the position of the quickfix and location list window
 func Test_qfwin_pos()
   " Open two windows

diff --git a/src/version.c b/src/version.c
index 2d5c134c3bdb19dfcf2dafee69415171cdecc928..e49c628a334663edfd3ce3a3a89fe796a4b2342c 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -738,6 +738,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    381,
 /**/
     380,
 /**/