aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-09-25 03:54:15 -04:00
Code Activity

patch 9.1.0764: [security]: use-after-free when closing a buffer

Browse Source 
Problem:  [security]: use-after-free when closing a buffer
Solution: When splitting the window and editing a new buffer,
          check whether the newly to be edited buffer has been marked
          for deletion and abort in this case

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2024-10-06 17:31:10 +02:00
parent 818c641b6f
commit 51b62387be
5 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/buffer.c
View File

@@ -497,6 +497,12 @@ can_unload_buffer(buf_T *buf)
return can_unload; return can_unload;
} }
int
buf_locked(buf_T *buf)
{
return buf->b_locked || buf->b_locked_split;
}
/* /*
* Close the link to a buffer. * Close the link to a buffer.
* "action" is used when there is no longer a window for the buffer. * "action" is used when there is no longer a window for the buffer.

12
src/ex_cmds.c
View File

@@ -2743,6 +2743,18 @@ do_ecmd(
} }
if (buf == NULL) if (buf == NULL)
goto theend; goto theend;
// autocommands try to edit a file that is goind to be removed,
// abort
if (buf_locked(buf))
{
// window was split, but not editing the new buffer,
// reset b_nwindows again
if (oldwin == NULL
&& curwin->w_buffer != NULL
&& curwin->w_buffer->b_nwindows > 1)
--curwin->w_buffer->b_nwindows;
goto theend;
}
if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0) if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
// reusing the buffer, keep the old alternate file // reusing the buffer, keep the old alternate file
curwin->w_alt_fnum = prev_alt_fnum; curwin->w_alt_fnum = prev_alt_fnum;

1
src/proto/buffer.pro
View File

@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
void set_buflisted(int on); void set_buflisted(int on);
int buf_contents_changed(buf_T *buf); int buf_contents_changed(buf_T *buf);
void wipe_buffer(buf_T *buf, int aucmd); void wipe_buffer(buf_T *buf, int aucmd);
int buf_locked(buf_T *buf);
/* vim: set ft=c : */ /* vim: set ft=c : */

19
src/testdir/test_autocmd.vim
View File

@@ -4883,4 +4883,23 @@ func Test_GuiEnter_Turkish_locale()
endtry endtry
endfunc endfunc
" This was using freed memory
func Test_autocmd_BufWinLeave_with_vsp()
new
let fname = 'XXXBufWinLeaveUAF.txt'
let dummy = 'XXXDummy.txt'
call writefile([], fname)
call writefile([], dummy)
defer delete(fname)
defer delete(dummy)
exe "e " fname
vsp
augroup testing
exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
augroup END
bw
call CleanUpTestAuGroup()
exe "bw! " .. dummy
endfunc
" vim: shiftwidth=2 sts=2 expandtab " vim: shiftwidth=2 sts=2 expandtab

2
src/version.c
View File

@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
764,
/**/ /**/
763, 763,
/**/ /**/