patch 9.0.1840: [security] use-after-free in do_ecmd

Problem: use-after-free in do_ecmd Solution: Verify oldwin pointer after reset_VIsual() Signed-off-by: Christian Brabandt <cb@256bit.org>
2023-09-02 14:40:13 +02:00
parent acb91d3905
commit e1dc9a6275
8 changed files with 59 additions and 4 deletions
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2646,12 +2646,18 @@ do_ecmd(
 	goto theend;
    }

-    /*
-     * End Visual mode before switching to another buffer, so the text can be
-     * copied into the GUI selection buffer.
-     */
+    
+     // End Visual mode before switching to another buffer, so the text can be
+     // copied into the GUI selection buffer.
+     // Careful: may trigger ModeChanged() autocommand
+     
+    // Should we block autocommands here?
    reset_VIsual();

+    // autocommands freed window :(
+    if (oldwin != NULL && !win_valid(oldwin))
+	oldwin = NULL;
+
 #if defined(FEAT_EVAL)
    if ((command != NULL || newlnum > (linenr_T)0)
 	    && *get_vim_var_str(VV_SWAPCOMMAND) == NUL)