vim-patch:9.1.2023: [security]: Use-after-free in alist_add() with nasty autocmd

Problem: A BufAdd autocommand may cause alist_add() to use freed memory, this is caused by the w_locked variable unset too early (henices) Solution: in trigger_undo_ftplugin() only set w_locked to false, if it was false when calling the function. related: v9.1.0678 closes: vim/vim#19023 9266a2a197 Co-authored-by: Christian Brabandt <cb@256bit.org>
2026-01-16 01:55:30 +00:00 · 2026-01-14 09:42:36 +08:00
parent 328640aed0
commit 6fa2ebec6b
2 changed files with 13 additions and 2 deletions
--- a/src/nvim/buffer.c
+++ b/src/nvim/buffer.c
@@ -131,13 +131,14 @@ typedef enum {

 static void trigger_undo_ftplugin(buf_T *buf, win_T *win)
 {
+  const bool win_was_locked = win->w_locked;
  window_layout_lock();
  buf->b_locked++;
  win->w_locked = true;
  // b:undo_ftplugin may be set, undo it
  do_cmdline_cmd("if exists('b:undo_ftplugin') | exe b:undo_ftplugin | endif");
  buf->b_locked--;
-  win->w_locked = false;
+  win->w_locked = win_was_locked;
  window_layout_unlock();
 }

--- a/test/old/testdir/test_arglist.vim
+++ b/test/old/testdir/test_arglist.vim
@@ -776,7 +776,6 @@ func Test_crash_arglist_uaf()
  "%argdelete
  new one
  au BufAdd XUAFlocal :bw
-  "call assert_fails(':arglocal XUAFlocal', 'E163:')
  arglocal XUAFlocal
  au! BufAdd
  bw! XUAFlocal
@@ -792,4 +791,15 @@ func Test_crash_arglist_uaf()
  au! BufAdd
 endfunc

+" This was using freed memory again
+func Test_crash_arglist_uaf2()
+  new
+  au BufAdd XUAFlocal :bw
+  arglocal XUAFlocal
+  redraw!
+  put ='abc'
+  2#
+  au! BufAdd
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab