patch 9.1.1387: memory leak when buflist_new() fails to reuse curbuf

seandewar · chrisbra · commit 0077282c8209 · 2025-05-14T20:16:52.000+02:00
Problem:  buflist_new() leaks ffname and fails to reuse curbuf when
          autocommands from buf_freeall change curbuf. Plus, a new
          buffer is not allocated in this case, despite what the comment
          above claims.
Solution: Remove the condition so ffname is not leaked and so a new
          buffer is allocated like before v8.2.4791. It should not be
          possible for undo_ftplugin or buf_freeall autocommands to
          delete the buffer as they set b_locked, but to stay consistent
          with other uses of buf_freeall, guard against that anyway
          (Sean Dewar).

Note that buf is set to NULL if it was deleted to guard against the (rare)
possibility of messing up the "buf != curbuf" condition below if a new buffer
happens to be allocated at the same address.

closes: #17319

Signed-off-by: Sean Dewar &lt;6256228+seandewar@users.noreply.github.com&gt;
Signed-off-by: Christian Brabandt &lt;cb@256bit.org&gt;
diff --git a/src/buffer.c b/src/buffer.c
@@ -2220,20 +2220,23 @@ buflist_new(
     buf = NULL;
     if ((flags & BLN_CURBUF) && curbuf_reusable())
     {
+	bufref_T bufref;
+
 	buf = curbuf;
+	set_bufref(&bufref, buf);
 	trigger_undo_ftplugin(buf, curwin);
 	// It's like this buffer is deleted.  Watch out for autocommands that
 	// change curbuf!  If that happens, allocate a new buffer anyway.
 	buf_freeall(buf, BFA_WIPE | BFA_DEL);
-	if (buf != curbuf)   // autocommands deleted the buffer!
-	    return NULL;
 #ifdef FEAT_EVAL
 	if (aborting())		// autocmds may abort script processing
 	{
 	    vim_free(ffname);
 	    return NULL;
 	}
 #endif
+	if (!bufref_valid(&bufref))
+	    buf = NULL;		// buf was deleted; allocate a new buffer
     }
     if (buf != curbuf || curbuf == NULL)
     {
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
@@ -5390,4 +5390,29 @@ func Test_eventignorewin_non_current()
   %bw!
 endfunc
 
+func Test_reuse_curbuf_leak()
+  new bar
+  let s:bar_buf = bufnr()
+  augroup testing
+    autocmd!
+    autocmd BufDelete * ++once let s:triggered = 1 | execute s:bar_buf 'buffer'
+  augroup END
+  enew
+  let empty_buf = bufnr()
+
+  " Old curbuf should be reused, firing BufDelete. As BufDelete changes curbuf,
+  " reusing the buffer would fail and leak the ffname.
+  edit foo
+  call assert_equal(1, s:triggered)
+  " Wasn't reused because the buffer changed, but buffer "foo" is still created.
+  call assert_equal(1, bufexists(empty_buf))
+  call assert_notequal(empty_buf, bufnr())
+  call assert_equal('foo', bufname())
+  call assert_equal('bar', bufname(s:bar_buf))
+
+  unlet! s:bar_buf s:triggered
+  call CleanUpTestAuGroup()
+  %bw!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1387,
 /**/
     1386,
 /**/

Original file line number	Diff line number	Diff line change
`@@ -2220,20 +2220,23 @@ buflist_new(`
`2220`	`2220`	`buf = NULL;`
`2221`	`2221`	`if ((flags & BLN_CURBUF) && curbuf_reusable())`
`2222`	`2222`	`{`
	`2223`	`+ bufref_T bufref;`
	`2224`	`+`
`2223`	`2225`	`buf = curbuf;`
	`2226`	`+ set_bufref(&bufref, buf);`
`2224`	`2227`	`trigger_undo_ftplugin(buf, curwin);`
`2225`	`2228`	`// It's like this buffer is deleted. Watch out for autocommands that`
`2226`	`2229`	`// change curbuf! If that happens, allocate a new buffer anyway.`
`2227`	`2230`	`buf_freeall(buf, BFA_WIPE \| BFA_DEL);`
`2228`		`- if (buf != curbuf) // autocommands deleted the buffer!`
`2229`		`- return NULL;`
`2230`	`2231`	`#ifdef FEAT_EVAL`
`2231`	`2232`	`if (aborting()) // autocmds may abort script processing`
`2232`	`2233`	`{`
`2233`	`2234`	`vim_free(ffname);`
`2234`	`2235`	`return NULL;`
`2235`	`2236`	`}`
`2236`	`2237`	`#endif`
	`2238`	`+ if (!bufref_valid(&bufref))`
	`2239`	`+ buf = NULL; // buf was deleted; allocate a new buffer`
`2237`	`2240`	`}`
`2238`	`2241`	`if (buf != curbuf \|\| curbuf == NULL)`
`2239`	`2242`	`{`