From c366c944c2d2f46862f8d3a660e52f2735f816ae Mon Sep 17 00:00:00 2001 From: Sean Dewar Date: Wed, 24 Nov 2021 02:48:55 +0000 Subject: [PATCH 1/2] vim-patch:8.1.2136: using freed memory with autocmd from fuzzer Problem: using freed memory with autocmd from fuzzer. (Dhiraj Mishra, Dominique Pelle) Solution: Avoid using "wp" after autocommands. (closes vim/vim#5041) https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421 Nvim doesn't use Vim's terminal implementation. Despite this, Nvim has its own *exclusive* way of crashing here. Requires 'winwidth' > winwidth() and 'nowinfixwidth' to crash; adjust the test ('nowfw' is the default, but ensure its disabled anyway). --- src/nvim/testdir/test_autocmd.vim | 11 +++++++++++ src/nvim/window.c | 3 ++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/nvim/testdir/test_autocmd.vim b/src/nvim/testdir/test_autocmd.vim index 0c8b8a45d9..1bc9d95f05 100644 --- a/src/nvim/testdir/test_autocmd.vim +++ b/src/nvim/testdir/test_autocmd.vim @@ -1897,6 +1897,17 @@ func Test_autocmd_CmdWinEnter() call delete(filename) endfunc +func Test_autocmd_was_using_freed_memory() + pedit xx + n x + au WinEnter * quit + " Nvim needs large 'winwidth' and 'nowinfixwidth' to crash + set winwidth=99999 nowinfixwidth + split + au! WinEnter + set winwidth& winfixwidth& +endfunc + func Test_FileChangedShell_reload() if !has('unix') return diff --git a/src/nvim/window.c b/src/nvim/window.c index e328ff5467..3e6e42dec2 100644 --- a/src/nvim/window.c +++ b/src/nvim/window.c @@ -4525,6 +4525,7 @@ static void win_enter_ext(win_T *const wp, const int flags) fix_current_dir(); + // Careful: autocommands may close the window and make "wp" invalid if (flags & WEE_TRIGGER_NEW_AUTOCMDS) { apply_autocmds(EVENT_WINNEW, NULL, NULL, false, curbuf); } @@ -4558,7 +4559,7 @@ static void win_enter_ext(win_T *const wp, const int flags) } // set window width to desired minimal value - if (curwin->w_width < p_wiw && !curwin->w_p_wfw && !wp->w_floating) { + if (curwin->w_width < p_wiw && !curwin->w_p_wfw && !curwin->w_floating) { win_setwidth((int)p_wiw); } From dac52e6d044d27cd6d51fdde2fa3be3f9dba11a4 Mon Sep 17 00:00:00 2001 From: Sean Dewar Date: Wed, 24 Nov 2021 03:58:44 +0000 Subject: [PATCH 2/2] vim-patch:8.2.2465: using freed memory in :psearch Problem: Using freed memory in :psearch. (houyunsong) Solution: Check the current window is still valid. Fix flaky test. https://github.com/vim/vim/commit/92bb83e41ca42d0d00d21753810d92485c808a50 Test_cursorhold_insert timer's 100ms delay was already LoadAdjusted, but change to 200ms (still LoadAdjust) to match Vim anyway. --- src/nvim/search.c | 3 +++ src/nvim/testdir/test_autocmd.vim | 28 +++++++++++++++++++++++++--- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/src/nvim/search.c b/src/nvim/search.c index 2e45a8f509..f47315705c 100644 --- a/src/nvim/search.c +++ b/src/nvim/search.c @@ -5248,6 +5248,9 @@ search_line: if (depth == -1) { // match in current file if (l_g_do_tagpreview != 0) { + if (!win_valid(curwin_save)) { + break; + } if (!GETFILE_SUCCESS(getfile(curwin_save->w_buffer->b_fnum, NULL, NULL, true, lnum, false))) { break; // failed to jump to file diff --git a/src/nvim/testdir/test_autocmd.vim b/src/nvim/testdir/test_autocmd.vim index 1bc9d95f05..49d56349a5 100644 --- a/src/nvim/testdir/test_autocmd.vim +++ b/src/nvim/testdir/test_autocmd.vim @@ -33,7 +33,7 @@ if has('timers') let g:triggered = 0 au CursorHoldI * let g:triggered += 1 set updatetime=20 - call timer_start(LoadAdjust(100), 'ExitInsertMode') + call timer_start(LoadAdjust(200), 'ExitInsertMode') call feedkeys('a', 'x!') call assert_equal(1, g:triggered) unlet g:triggered @@ -1900,12 +1900,21 @@ endfunc func Test_autocmd_was_using_freed_memory() pedit xx n x - au WinEnter * quit + augroup winenter + au WinEnter * if winnr('$') > 2 | quit | endif + augroup END " Nvim needs large 'winwidth' and 'nowinfixwidth' to crash set winwidth=99999 nowinfixwidth split - au! WinEnter + + augroup winenter + au! WinEnter + augroup END + set winwidth& winfixwidth& + bwipe xx + bwipe x + pclose endfunc func Test_FileChangedShell_reload() @@ -2136,6 +2145,19 @@ func Test_autocmd_closes_window() au! BufWinLeave endfunc +func Test_autocmd_quit_psearch() + sn aa bb + augroup aucmd_win_test + au! + au BufEnter,BufLeave,BufNew,WinEnter,WinLeave,WinNew * if winnr('$') > 1 | q | endif + augroup END + ps / + + augroup aucmd_win_test + au! + augroup END +endfunc + func Test_autocmd_closing_cmdwin() au BufWinLeave * nested q call assert_fails("norm 7q?\n", 'E855:')