patch 8.1.2136: using freed memory with autocmd from fuzzer

Problem: using freed memory with autocmd from fuzzer. (Dhiraj Mishra, Dominique Pelle) Solution: Avoid using "wp" after autocommands. (closes #5041)
vim · Oct 11, 2019 · ec66c41 · ec66c41 · NicoleG25 · Jan 2, 2020
1 parent 00eab7f
commit ec66c41
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
@@ -2288,3 +2288,11 @@ func Test_autocmd_CmdWinEnter()
   call StopVimInTerminal(buf)
   call delete(filename)
 endfunc
+
+func Test_autocmd_was_using_freed_memory()
+  pedit xx
+  n x
+  au WinEnter * quit
+  split
+  au! WinEnter
+endfunc
diff --git a/src/version.c b/src/version.c
@@ -753,6 +753,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2136,
 /**/
     2135,
 /**/

diff --git a/src/window.c b/src/window.c
@@ -4641,6 +4641,7 @@ win_enter_ext(
 #ifdef FEAT_JOB_CHANNEL
     entering_window(curwin);
 #endif
+    // Careful: autocommands may close the window and make "wp" invalid
     if (trigger_new_autocmds)
 	apply_autocmds(EVENT_WINNEW, NULL, NULL, FALSE, curbuf);
     if (trigger_enter_autocmds)
@@ -4655,7 +4656,7 @@ win_enter_ext(
 #endif
     curwin->w_redr_status = TRUE;
 #ifdef FEAT_TERMINAL
-    if (bt_terminal(wp->w_buffer))
+    if (bt_terminal(curwin->w_buffer))
 	// terminal is likely in another mode
 	redraw_mode = TRUE;
 #endif