patch 8.2.1962: netbeans may access freed memoryv8.2.1962

Problem:    Netbeans may access freed memory.
Solution:   Check the buffer pointer is still valid.  Add a test. (Yegappan
            Lakshmanan, closes #7248)

3 files changed, 49 insertions, 9 deletions

diff --git a/src/netbeans.c b/src/netbeans.c
index ccff3a5367..1a565df003 100644
--- a/src/netbeans.c
+++ b/src/netbeans.c
@@ -572,7 +572,7 @@ nb_free(void)
 	buf = buf_list[i];
 	vim_free(buf.displayname);
 	vim_free(buf.signmap);
-	if (buf.bufp != NULL)
+	if (buf.bufp != NULL && buf_valid(buf.bufp))
 	{
 	    buf.bufp->b_netbeans_file = FALSE;
 	    buf.bufp->b_was_netbeans_file = FALSE;
@@ -1943,15 +1943,13 @@ nb_do_cmd(
 	    if (STRLEN(fg) > MAX_COLOR_LENGTH || STRLEN(bg) > MAX_COLOR_LENGTH)
 	    {
 		emsg("E532: highlighting color name too long in defineAnnoType");
-		vim_free(typeName);
+		VIM_CLEAR(typeName);
 		parse_error = TRUE;
 	    }
 	    else if (typeName != NULL && tooltip != NULL && glyphFile != NULL)
 		addsigntype(buf, typeNum, typeName, tooltip, glyphFile, fg, bg);
-	    else
-		vim_free(typeName);
 
-	    // don't free typeName; it's used directly in addsigntype()
+	    vim_free(typeName);
 	    vim_free(fg);
 	    vim_free(bg);
 	    vim_free(tooltip);
@@ -3240,7 +3238,7 @@ addsigntype(
 	    }
 	}
 
-	globalsignmap[i] = (char *)typeName;
+	globalsignmap[i] = (char *)vim_strsave(typeName);
 	globalsignmapused = i + 1;
     }
 
diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim
index ea845bd674..490e528c43 100644
--- a/src/testdir/test_netbeans.vim
+++ b/src/testdir/test_netbeans.vim
@@ -34,9 +34,9 @@ endfunc
 " Read the "Xnetbeans" file and filter out geometry messages.
 func ReadXnetbeans()
   let l = readfile("Xnetbeans")
-  " Xnetbeans may include '0:geometry=' messages on GUI environment if window
+  " Xnetbeans may include '0:geometry=' messages in the GUI Vim if the window
   " position, size, or z order are changed.  Remove these messages because
-  " will causes troubles on check.
+  " these message will break the assert for the output.
   return filter(l, 'v:val !~ "^0:geometry="')
 endfunc
 
@@ -388,7 +388,7 @@ func Nb_basic(port)
   call assert_equal('send: 2:defineAnnoType!60 1 "s1" "x" "=>" blue none', l[-1])
   sleep 1m
   call assert_equal({'name': '1', 'texthl': 'NB_s1', 'text': '=>'},
-        \ sign_getdefined()[0])
+        \ sign_getdefined()->get(0, {}))
   let g:last += 3
 
   " defineAnnoType with a long color name
@@ -892,4 +892,44 @@ func Test_nb_quit_with_conn()
   call s:run_server('Nb_quit_with_conn')
 endfunc
 
+func Nb_bwipe_buffer(port)
+  call delete("Xnetbeans")
+  call writefile([], "Xnetbeans")
+
+  " Last line number in the Xnetbeans file. Used to verify the result of the
+  " communication with the netbeans server
+  let g:last = 0
+
+  " Establish the connection with the netbeans server
+  exe 'nbstart :localhost:' .. a:port .. ':bunny'
+  call WaitFor('len(ReadXnetbeans()) > (g:last + 2)')
+  let l = ReadXnetbeans()
+  call assert_equal(['AUTH bunny',
+        \ '0:version=0 "2.5"',
+        \ '0:startupDone=0'], l[-3:])
+  let g:last += 3
+
+  " Open the command buffer to communicate with the server
+  split Xcmdbuf
+  call WaitFor('len(ReadXnetbeans()) > (g:last + 2)')
+  let l = ReadXnetbeans()
+  call assert_equal('0:fileOpened=0 "Xcmdbuf" T F',
+        \ substitute(l[-3], '".*/', '"', ''))
+  call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"',
+        \ substitute(l[-2], '".*/', '"', ''))
+  call assert_equal('1:startDocumentListen!16', l[-1])
+  let g:last += 3
+
+  sleep 10m
+endfunc
+
+" This test used to reference a buffer after it was freed leading to an ASAN
+" error.
+func Test_nb_bwipe_buffer()
+  call s:run_server('Nb_bwipe_buffer')
+  %bwipe!
+  sleep 100m
+  nbclose
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 40599ceccb..6baaf593e0 100644
--- a/src/version.c
+++ b/src/version.c
@@ -751,6 +751,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1962,
+/**/
     1961,
 /**/
     1960,