patch 9.0.2106: [security]: Use-after-free in win_close()

Problem: [security]: Use-after-free in win_close() Solution: Check window is valid, before accessing it If the current window structure is no longer valid (because a previous autocommand has already freed this window), fail and return before attempting to set win->w_closing variable. Add a test to trigger ASAN in CI Signed-off-by: Christian Brabandt <cb@256bit.org>
2025-09-29 04:34:16 -04:00 · 2023-11-14 19:31:34 +01:00
parent 67abf1592c
commit 25aabc2b8e
4 changed files with 37 additions and 0 deletions
--- a/src/window.c
+++ b/src/window.c
@@ -2682,6 +2682,8 @@ win_close(win_T *win, int free_buf)
 	    reset_VIsual_and_resel();	// stop Visual mode

 	    other_buffer = TRUE;
+	    if (!win_valid(win))
+		return FAIL;
 	    win->w_closing = TRUE;
 	    apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf);
 	    if (!win_valid(win))