Commit: patch 9.0.1859: heap-use-after-free in bt_normal()

[Christian Brabandt]

patch 9.0.1859: heap-use-after-free in bt_normal()

Commit: 
https://github.com/vim/vim/commit/6e60cf444a8839ca1694319bf9a82e7b097e5c4d
Author: Christian Brabandt <c...@256bit.org>
Date:   Sun Sep 3 21:43:46 2023 +0200

    patch 9.0.1859: heap-use-after-free in bt_normal()
    
    Problem:  heap-use-after-free in bt_normal()
    Solution: check that buffer is still valid
    
    Signed-off-by: Christian Brabandt <c...@256bit.org>

diff --git a/src/buffer.c b/src/buffer.c
index 14eac92b9..93f9245f2 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5777,7 +5777,7 @@ bt_normal(buf_T *buf)
 bt_quickfix(buf_T *buf UNUSED)
 {
 #ifdef FEAT_QUICKFIX
-    return buf != NULL && buf->b_p_bt[0] == 'q';
+    return buf != NULL && buf_valid(buf) && buf->b_p_bt[0] == 'q';
 #else
     return FALSE;
 #endif
diff --git a/src/testdir/crash/bt_quickfix1_poc 
b/src/testdir/crash/bt_quickfix1_poc
new file mode 100644
index 000000000..97993fde5
--- /dev/null
+++ b/src/testdir/crash/bt_quickfix1_poc
@@ -0,0 +1,5 @@
+au BufReadPre * exe 'sn' .. expand("<abuf>")
+call writefile([''],'X')
+sil! e X
+call writefile([''],'X')
+sil! e X
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 27bf7b55d..8deb79702 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -49,6 +49,15 @@ func Test_crash1()
 
   call TermWait(buf, 100)
 
+  let file = 'crash/bt_quickfix1_poc'
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+  " clean up
+  call delete('X')
+  " This test takes a bit longer
+  call TermWait(buf, 200)
+
   " clean up
   exe buf .. "bw!"
 
@@ -60,6 +69,7 @@ func Test_crash1()
       \ 'crash 3: [OK]',
       \ 'crash 4: [OK]',
       \ 'crash 5: [OK]',
+      \ 'crash 6: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))
diff --git a/src/version.c b/src/version.c
index b604b57f8..f2ff8d6b7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1859,
 /**/
     1858,
 /**/

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/vim_dev/E1qctGM-00DwYZ-Uj%40256bit.org.