mirror of
https://github.com/neovim/neovim.git
synced 2024-12-23 20:55:18 -07:00
vim-patch:9.1.0764: [security]: use-after-free when closing a buffer (#30705)
Problem: [security]: use-after-free when closing a buffer
Solution: When splitting the window and editing a new buffer,
check whether the newly to be edited buffer has been marked
for deletion and abort in this case
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
51b62387be
Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
parent
bf868e76e1
commit
2377443cd2
@ -478,6 +478,11 @@ static bool can_unload_buffer(buf_T *buf)
|
||||
return can_unload;
|
||||
}
|
||||
|
||||
bool buf_locked(buf_T *buf)
|
||||
{
|
||||
return buf->b_locked || buf->b_locked_split;
|
||||
}
|
||||
|
||||
/// Close the link to a buffer.
|
||||
///
|
||||
/// @param win If not NULL, set b_last_cursor.
|
||||
|
@ -2261,6 +2261,16 @@ int do_ecmd(int fnum, char *ffname, char *sfname, exarg_T *eap, linenr_T newlnum
|
||||
if (buf == NULL) {
|
||||
goto theend;
|
||||
}
|
||||
// autocommands try to edit a file that is goind to be removed, abort
|
||||
if (buf_locked(buf)) {
|
||||
// window was split, but not editing the new buffer, reset b_nwindows again
|
||||
if (oldwin == NULL
|
||||
&& curwin->w_buffer != NULL
|
||||
&& curwin->w_buffer->b_nwindows > 1) {
|
||||
curwin->w_buffer->b_nwindows--;
|
||||
}
|
||||
goto theend;
|
||||
}
|
||||
if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0) {
|
||||
// reusing the buffer, keep the old alternate file
|
||||
curwin->w_alt_fnum = prev_alt_fnum;
|
||||
|
@ -15,6 +15,13 @@ func s:cleanup_buffers() abort
|
||||
endfor
|
||||
endfunc
|
||||
|
||||
func CleanUpTestAuGroup()
|
||||
augroup testing
|
||||
au!
|
||||
augroup END
|
||||
augroup! testing
|
||||
endfunc
|
||||
|
||||
func Test_vim_did_enter()
|
||||
call assert_false(v:vim_did_enter)
|
||||
|
||||
@ -4152,4 +4159,23 @@ func Test_BufEnter_botline()
|
||||
set hidden&vim
|
||||
endfunc
|
||||
|
||||
" This was using freed memory
|
||||
func Test_autocmd_BufWinLeave_with_vsp()
|
||||
new
|
||||
let fname = 'XXXBufWinLeaveUAF.txt'
|
||||
let dummy = 'XXXDummy.txt'
|
||||
call writefile([], fname)
|
||||
call writefile([], dummy)
|
||||
defer delete(fname)
|
||||
defer delete(dummy)
|
||||
exe "e " fname
|
||||
vsp
|
||||
augroup testing
|
||||
exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
|
||||
augroup END
|
||||
bw
|
||||
call CleanUpTestAuGroup()
|
||||
exe "bw! " .. dummy
|
||||
endfunc
|
||||
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
||||
|
Loading…
Reference in New Issue
Block a user