vim-patch:9.0.1840: [security] use-after-free in do_ecmd (#24993)

Problem: use-after-free in do_ecmd Solution: Verify oldwin pointer after reset_VIsual() e1dc9a6275 N/A patches for version.c: vim-patch:9.0.1841: style: trailing whitespace in ex_cmds.c Co-authored-by: Christian Brabandt <cb@256bit.org>
2025-10-03 16:36:30 +00:00 · 2023-09-03 11:15:43 +08:00
parent f32a69630d
commit 087ef52997
3 changed files with 49 additions and 0 deletions
--- a/src/nvim/ex_cmds.c
+++ b/src/nvim/ex_cmds.c
@@ -2230,8 +2230,16 @@ int do_ecmd(int fnum, char *ffname, char *sfname, exarg_T *eap, linenr_T newlnum

  // End Visual mode before switching to another buffer, so the text can be
  // copied into the GUI selection buffer.
+  // Careful: may trigger ModeChanged() autocommand
+
+  // Should we block autocommands here?
  reset_VIsual();

+  // autocommands freed window :(
+  if (oldwin != NULL && !win_valid(oldwin)) {
+    oldwin = NULL;
+  }
+
  if ((command != NULL || newlnum > (linenr_T)0)
      && *get_vim_var_str(VV_SWAPCOMMAND) == NUL) {
    // Set v:swapcommand for the SwapExists autocommands.