commit 9540e7470beb1fce987c411564effe6625fd0528
parent b4039ec0b026938051061ee93618a0d14e54581c
Author: zeertzjq <zeertzjq@outlook.com>
Date: Tue, 27 Jan 2026 13:12:15 +0800
fix(terminal): possible heap-use-after-free during Nvim exit
Usually, terminal_close() calls refresh_terminal(), which allocates the
scrollback buffer, and term_may_alloc_scrollback() in terminal_open()
won't dereference the buffer. However, refresh_terminal() is not called
during Nvim exit, in which case a heap-use-after-free may happen if
TermOpen wipes buffer. Check for non-NULL buf_handle to avoid that.
Diffstat:
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/nvim/terminal.c b/src/nvim/terminal.c
@@ -566,7 +566,7 @@ void terminal_open(Terminal **termpp, buf_T *buf, TerminalOptions opts)
aucmd_restbuf(&aco);
- if (*termpp == NULL) {
+ if (*termpp == NULL || term->buf_handle == 0) {
return; // Terminal has already been destroyed.
}
diff --git a/test/functional/terminal/channel_spec.lua b/test/functional/terminal/channel_spec.lua
@@ -213,6 +213,16 @@ describe('no crash when TermOpen autocommand', function()
]])
assert_alive()
end)
+
+ it('wipes buffer when using jobstart(…,{term=true}) during Nvim exit', function()
+ n.expect_exit(n.exec_lua, function()
+ vim.schedule(function()
+ vim.fn.jobstart(term_args, { term = true })
+ end)
+ vim.cmd('autocmd TermOpen * bwipe!')
+ vim.cmd('qall!')
+ end)
+ end)
end)
describe('nvim_open_term', function()
