Source Joachim Nilsson: Found by Coverity Scan. The popbuf() function iterated over a list to find a wp pointer, then sent it to showbuffer() which immediately went ahead and dereferenced it. This patch simply adds a NULL pointer check before calling showbuffer(), if NULL then just return NULL to callee.
The missing NULL check is actually referenced in a comment a few lines earlier in the code. ok? -lum Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/mg/buffer.c,v retrieving revision 1.101 diff -u -p -u -p -r1.101 buffer.c --- buffer.c 31 Aug 2016 12:22:28 -0000 1.101 +++ buffer.c 6 Sep 2016 17:04:22 -0000 @@ -713,12 +713,16 @@ popbuf(struct buffer *bp, int flags) while (wp != NULL && wp == curwp) wp = wp->w_wndp; - } else + } else { for (wp = wheadp; wp != NULL; wp = wp->w_wndp) if (wp->w_bufp == bp) { wp->w_rflag |= WFFULL | WFFRAME; return (wp); } + } + if (!wp) + return (NULL); + if (showbuffer(bp, wp, WFFULL) != TRUE) return (NULL); return (wp);