patch 9.1.0764: [security]: use-after-free when closing a buffer
Commit:
https://github.com/vim/vim/commit/51b62387be93c65fa56bbabe1c3c1ea5df187641
Author: Christian Brabandt <[email protected]>
Date: Sun Oct 6 17:31:10 2024 +0200
patch 9.1.0764: [security]: use-after-free when closing a buffer
Problem: [security]: use-after-free when closing a buffer
Solution: When splitting the window and editing a new buffer,
check whether the newly to be edited buffer has been marked
for deletion and abort in this case
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/buffer.c b/src/buffer.c
index 34500e4ab..90be301e8 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -497,6 +497,12 @@ can_unload_buffer(buf_T *buf)
return can_unload;
}
+ int
+buf_locked(buf_T *buf)
+{
+ return buf->b_locked || buf->b_locked_split;
+}
+
/*
* Close the link to a buffer.
* "action" is used when there is no longer a window for the buffer.
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index acddd9c38..b990de444 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2743,6 +2743,18 @@ do_ecmd(
}
if (buf == NULL)
goto theend;
+ // autocommands try to edit a file that is goind to be removed,
+ // abort
+ if (buf_locked(buf))
+ {
+ // window was split, but not editing the new buffer,
+ // reset b_nwindows again
+ if (oldwin == NULL
+ && curwin->w_buffer != NULL
+ && curwin->w_buffer->b_nwindows > 1)
+ --curwin->w_buffer->b_nwindows;
+ goto theend;
+ }
if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
// reusing the buffer, keep the old alternate file
curwin->w_alt_fnum = prev_alt_fnum;
diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
index 3a6102789..dc68ca8fc 100644
--- a/src/proto/buffer.pro
+++ b/src/proto/buffer.pro
@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
void set_buflisted(int on);
int buf_contents_changed(buf_T *buf);
void wipe_buffer(buf_T *buf, int aucmd);
+int buf_locked(buf_T *buf);
/* vim: set ft=c : */
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index fc6f377cf..31ebc1bcb 100644
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -4883,4 +4883,23 @@ func Test_GuiEnter_Turkish_locale()
endtry
endfunc
+" This was using freed memory
+func Test_autocmd_BufWinLeave_with_vsp()
+ new
+ let fname = 'XXXBufWinLeaveUAF.txt'
+ let dummy = 'XXXDummy.txt'
+ call writefile([], fname)
+ call writefile([], dummy)
+ defer delete(fname)
+ defer delete(dummy)
+ exe "e " fname
+ vsp
+ augroup testing
+ exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
+ augroup END
+ bw
+ call CleanUpTestAuGroup()
+ exe "bw! " .. dummy
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 2f37123e4..c8559ef45 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 764,
/**/
763,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/E1sxTRP-00GCwm-0h%40256bit.org.
