vim-patch:9.1.1361: [security]: possible use-after-free when closing a buffer (#33820)

Problem: [security]: Possible to open more windows into a closing buffer without splitting, bypassing existing "b_locked_split" checks and triggering use-after-free Solution: Disallow switching to a closing buffer. Editing a closing buffer (via ":edit", etc.) was fixed in v9.1.0764, but add an error message and check just "b_locked_split", as "b_locked" is necessary only when the buffer shouldn't be wiped, and may be set for buffers that are in-use but not actually closing. (Sean Dewar) closes: vim/vim#17246 6cb1c82840
2025-10-15 22:36:09 +00:00 · 2025-05-04 03:15:51 +01:00
parent 2c1f5a6aa5
commit 627c648252
7 changed files with 56 additions and 16 deletions
--- a/src/nvim/buffer_defs.h
+++ b/src/nvim/buffer_defs.h
@@ -368,7 +368,7 @@ struct file_buffer {
  int b_locked;                 // Buffer is being closed or referenced, don't
                                // let autocommands wipe it out.
  int b_locked_split;           // Buffer is being closed, don't allow opening
-                                // a new window with it.
+                                // it in more windows.
  int b_ro_locked;              // Non-zero when the buffer can't be changed.
                                // Used for FileChangedRO