aucmd_restbuf(&aco);
if (newbuf_to_wipe.br_buf != NULL && bufref_valid(&newbuf_to_wipe))
- wipe_buffer(newbuf_to_wipe.br_buf, FALSE);
+ {
+ block_autocmds();
+ wipe_dummy_buffer(newbuf_to_wipe.br_buf, NULL);
+ unblock_autocmds();
+ }
}
// Add back the "dummy" flag, otherwise buflist_findname_stat() won't
/*
* Wipe out the dummy buffer that load_dummy_buffer() created. Restores
- * directory to "dirname_start" prior to returning, if autocmds or the
- * 'autochdir' option have changed it.
+ * directory to "dirname_start" if not NULL prior to returning, if autocmds or
+ * the 'autochdir' option have changed it.
*/
static void
wipe_dummy_buffer(buf_T *buf, char_u *dirname_start)
// new aborting error, interrupt, or uncaught exception.
leave_cleanup(&cs);
#endif
- // When autocommands/'autochdir' option changed directory: go back.
- restore_start_dir(dirname_start);
+ if (dirname_start != NULL)
+ // When autocommands/'autochdir' option changed directory: go back.
+ restore_start_dir(dirname_start);
}
}
wincmd q
endfunc
+func Test_vimgrep_dummy_buffer_crash()
+ augroup DummyCrash
+ autocmd!
+ " Make the dummy buffer non-current, but still open in a window.
+ autocmd BufReadCmd * ++once let s:dummy_buf = bufnr()
+ \| split | wincmd p | enew
+
+ " Autocmds from cleaning up the dummy buffer in this case should be blocked.
+ autocmd BufWipeout *
+ \ call assert_notequal(s:dummy_buf, str2nr(expand('<abuf>')))
+ augroup END
+
+ silent! vimgrep /./ .
+ redraw! " Window to freed dummy buffer used to remain; heap UAF.
+ call assert_equal([], win_findbuf(s:dummy_buf))
+ call assert_equal(0, bufexists(s:dummy_buf))
+
+ unlet! s:dummy_buf
+ autocmd! DummyCrash
+ %bw!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
projects / thirdparty / vim.git / commitdiff
