commit 71658f74ae64c366b2d35b82c0a2eadb1317f028
author Bram Moolenaar <Bram@vim.org> Tue Mar 24 20:35:19 2020 +0100
committer Bram Moolenaar <Bram@vim.org> Tue Mar 24 20:35:19 2020 +0100
tree a33d01457e46aae42eb58972fdbc1df392924de8
parent f3710ee22d0039cea2f970452b5faf56e89a6ab0

patch 8.2.0442: channel contents might be used after being freed

Problem:    Channel contents might be used after being freed.
Solution:   Reset the job channel before freeing the channel.

src/channel.c

diff --git a/src/channel.c b/src/channel.c
index 6dde107..a57ed9c 100644
--- a/src/channel.c
+++ b/src/channel.c
@@ -396,6 +396,7 @@
 
 /*
  * Close a channel and free all its resources.
+ * The "channel" pointer remains valid.
  */
     static void
 channel_free_contents(channel_T *channel)
@@ -405,6 +406,9 @@
     ch_log(channel, "Freeing channel");
 }
 
+/*
+ * Unlink "channel" from the list of channels and free it.
+ */
     static void
 channel_free_channel(channel_T *channel)
 {
@@ -497,10 +501,8 @@
 	ch_next = ch->ch_next;
 	if (!channel_still_useful(ch)
 				 && (ch->ch_copyID & mask) != (copyID & mask))
-	{
 	    // Free the channel struct itself.
 	    channel_free_channel(ch);
-	}
     }
 }
 
@@ -4454,15 +4456,12 @@
 	}
 	if (channel->ch_to_be_freed || channel->ch_killing)
 	{
-	    if (channel->ch_killing)
-	    {
-		channel_free_contents(channel);
-		channel_free_channel(channel);
+	    channel_free_contents(channel);
+	    if (channel->ch_job != NULL)
 		channel->ch_job->jv_channel = NULL;
-	    }
-	    else
-		channel_free(channel);
-	    // channel has been freed, start over
+
+	    // free the channel and then start over
+	    channel_free_channel(channel);
 	    channel = first_channel;
 	    continue;
 	}

src/version.c

diff --git a/src/version.c b/src/version.c
index 0cf6011..31c5610 100644
--- a/src/version.c
+++ b/src/version.c
@@ -739,6 +739,8 @@
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    442,
+/**/
     441,
 /**/
     440,