patch 9.2.0594: Use-after-free with ":wqall" and a running terminal job

Problem:  Using ":wqall" with a running terminal buffer can free the
          buffer that is currently being iterated over in the buffer
          list, resulting in a use-after-free (after v9.2.0593).
Solution: After stopping the job, check whether the buffer is still valid
          and restart the iteration from the first buffer if it was freed
          (Hirohito Higashi).

related: #20417
closes:  #20423

Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index cedb9edf882cdac60de6cb5c11b6f2d09113473a..b2fc85c99e10a585bea37df822b7ae0a8a65e217 100644 (file)
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2515,11 +2515,17 @@ do_wqall(exarg_T *eap)
 #ifdef FEAT_TERMINAL
        if (exiting && !eap->forceit && term_job_running(buf->b_term))
        {
+           bufref_T    bufref;
+
+           set_bufref(&bufref, buf);
            if (term_try_stop_job(buf) == FAIL)
            {
                no_write_message_buf(buf);
                ++error;
            }
+           // Stopping the job may have freed the terminal buffer.
+           else if (!bufref_valid(&bufref))
+               buf = firstbuf;
        }
        else
 #endif

diff --git a/src/version.c b/src/version.c
index cacb63cb8c30bf6c5913446934065d6fb6369a90..65550ac00497da0b720eb47923afde06661bb754 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    594,
 /**/
     593,
 /**/