patch 8.2.2472: crash when using command line window in an autocommand

Problem:    Crash when using command line window in an autocommand.
            (houyunsong)
Solution:   Save and restore au_new_curbuf.

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index b6e1cbf7f059501ed170b5eb8b8fb06d435cb149..90a9403ff373680cc1674a23314d4de890290b45 100644 (file)
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2710,8 +2710,9 @@ do_ecmd(
         */
        if (buf != curbuf)
        {
+           bufref_T    save_au_new_curbuf;
 #ifdef FEAT_CMDWIN
-           int save_cmdwin_type = cmdwin_type;
+           int         save_cmdwin_type = cmdwin_type;
 
            // BufLeave applies to the old buffer.
            cmdwin_type = 0;
@@ -2728,6 +2729,7 @@ do_ecmd(
             */
            if (buf->b_fname != NULL)
                new_name = vim_strsave(buf->b_fname);
+           save_au_new_curbuf = au_new_curbuf;
            set_bufref(&au_new_curbuf, buf);
            apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf);
 #ifdef FEAT_CMDWIN
@@ -2737,12 +2739,14 @@ do_ecmd(
            {
                // new buffer has been deleted
                delbuf_msg(new_name);   // frees new_name
+               au_new_curbuf = save_au_new_curbuf;
                goto theend;
            }
 #ifdef FEAT_EVAL
            if (aborting())         // autocmds may abort script processing
            {
                vim_free(new_name);
+               au_new_curbuf = save_au_new_curbuf;
                goto theend;
            }
 #endif
@@ -2778,6 +2782,7 @@ do_ecmd(
                if (aborting() && curwin->w_buffer != NULL)
                {
                    vim_free(new_name);
+                   au_new_curbuf = save_au_new_curbuf;
                    goto theend;
                }
 #endif
@@ -2786,6 +2791,7 @@ do_ecmd(
                {
                    // new buffer has been deleted
                    delbuf_msg(new_name);       // frees new_name
+                   au_new_curbuf = save_au_new_curbuf;
                    goto theend;
                }
                if (buf == curbuf)              // already in new buffer
@@ -2831,8 +2837,7 @@ do_ecmd(
 #endif
            }
            vim_free(new_name);
-           au_new_curbuf.br_buf = NULL;
-           au_new_curbuf.br_buf_free_count = 0;
+           au_new_curbuf = save_au_new_curbuf;
        }
 
        curwin->w_pcmark.lnum = 1;

diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index cb5c62f522207bbf004b5a9787370261db5617cc..8ccc753df2e2960be08cb03c62fa5d8a9845ba23 100644 (file)
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -2739,9 +2739,9 @@ func Test_autocmd_closes_window()
   au BufNew,BufWinLeave * e %e
   file yyy
   au BufNew,BufWinLeave * ball
-  call assert_fails('n xxx', 'E143:')
+  n xxx
 
-  bwipe %
+  %bwipe
   au! BufNew
   au! BufWinLeave
 endfunc
@@ -2759,4 +2759,19 @@ func Test_autocmd_quit_psearch()
   augroup END
 endfunc
 
+" Fuzzer found some strange combination that caused a crash.
+func Test_autocmd_normal_mess()
+  augroup aucmd_normal_test
+    au BufLeave,BufWinLeave,BufHidden,BufUnload,BufDelete,BufWipeout * norm 7q/qc
+  augroup END
+  o4
+  silent! H
+  e xx
+  normal G
+
+  augroup aucmd_normal_test
+    au!
+  augroup END
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 2beec07bc39dde8892c84168730e031862e55d00..1b0faaeee7ea075fe6fd7ab584b712cd5cc7b624 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -750,6 +750,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2472,
 /**/
     2471,
 /**/