Commit: patch 9.2.0594: Use-after-free with ":wqall" and a running terminal job
1 view
Skip to first unread message
Christian Brabandt
Jun 4, 2026, 3:45:13 PM (12 hours ago) Jun 4
to vim...@googlegroups.com
patch 9.2.0594: Use-after-free with ":wqall" and a running terminal job
Commit: https://github.com/vim/vim/commit/3ba82a5e48fd238defdd2bd6d69bd825b8099227
Author: Hirohito Higashi <h.eas...@gmail.com>
Date: Thu Jun 4 19:25:50 2026 +0000
patch 9.2.0594: Use-after-free with ":wqall" and a running terminal job
Problem: Using ":wqall" with a running terminal buffer can free the
buffer that is currently being iterated over in the buffer
list, resulting in a use-after-free (after v9.2.0593).
Solution: After stopping the job, check whether the buffer is still valid
and restart the iteration from the first buffer if it was freed
(Hirohito Higashi).
related: #20417
closes: #20423
Signed-off-by: Hirohito Higashi <h.eas...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index cedb9edf8..b2fc85c99 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2515,11 +2515,17 @@ do_wqall(exarg_T *eap)
#ifdef FEAT_TERMINAL
if (exiting && !eap->forceit && term_job_running(buf->b_term))
{
+ bufref_T bufref;
+
+ set_bufref(&bufref, buf);
if (term_try_stop_job(buf) == FAIL)
{
no_write_message_buf(buf);
++error;
}
+ // Stopping the job may have freed the terminal buffer.
+ else if (!bufref_valid(&bufref))
+ buf = firstbuf;
}
else
#endif
diff --git a/src/version.c b/src/version.c
index cacb63cb8..65550ac00 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 594,
/**/
593,
/**/
Commit: https://github.com/vim/vim/commit/3ba82a5e48fd238defdd2bd6d69bd825b8099227
Author: Hirohito Higashi <h.eas...@gmail.com>
Date: Thu Jun 4 19:25:50 2026 +0000
patch 9.2.0594: Use-after-free with ":wqall" and a running terminal job
Problem: Using ":wqall" with a running terminal buffer can free the
buffer that is currently being iterated over in the buffer
list, resulting in a use-after-free (after v9.2.0593).
Solution: After stopping the job, check whether the buffer is still valid
and restart the iteration from the first buffer if it was freed
(Hirohito Higashi).
related: #20417
closes: #20423
Signed-off-by: Hirohito Higashi <h.eas...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index cedb9edf8..b2fc85c99 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2515,11 +2515,17 @@ do_wqall(exarg_T *eap)
#ifdef FEAT_TERMINAL
if (exiting && !eap->forceit && term_job_running(buf->b_term))
{
+ bufref_T bufref;
+
+ set_bufref(&bufref, buf);
if (term_try_stop_job(buf) == FAIL)
{
no_write_message_buf(buf);
++error;
}
+ // Stopping the job may have freed the terminal buffer.
+ else if (!bufref_valid(&bufref))
+ buf = firstbuf;
}
else
#endif
diff --git a/src/version.c b/src/version.c
index cacb63cb8..65550ac00 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 594,
/**/
593,
/**/
Reply all
Reply to author
Forward
0 new messages