From 6fa2ebec6b244eea8dde01ca72deeebd4546e537 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Wed, 14 Jan 2026 09:42:36 +0800 Subject: [PATCH] vim-patch:9.1.2023: [security]: Use-after-free in alist_add() with nasty autocmd Problem: A BufAdd autocommand may cause alist_add() to use freed memory, this is caused by the w_locked variable unset too early (henices) Solution: in trigger_undo_ftplugin() only set w_locked to false, if it was false when calling the function. related: v9.1.0678 closes: vim/vim#19023 https://github.com/vim/vim/commit/9266a2a19790dd3485b1dd32b3e27ba1d93e33d0 Co-authored-by: Christian Brabandt --- src/nvim/buffer.c | 3 ++- test/old/testdir/test_arglist.vim | 12 +++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/nvim/buffer.c b/src/nvim/buffer.c index 85cb824389..fb8235c1b3 100644 --- a/src/nvim/buffer.c +++ b/src/nvim/buffer.c @@ -131,13 +131,14 @@ typedef enum { static void trigger_undo_ftplugin(buf_T *buf, win_T *win) { + const bool win_was_locked = win->w_locked; window_layout_lock(); buf->b_locked++; win->w_locked = true; // b:undo_ftplugin may be set, undo it do_cmdline_cmd("if exists('b:undo_ftplugin') | exe b:undo_ftplugin | endif"); buf->b_locked--; - win->w_locked = false; + win->w_locked = win_was_locked; window_layout_unlock(); } diff --git a/test/old/testdir/test_arglist.vim b/test/old/testdir/test_arglist.vim index 9c4d4bb715..bcf2b055ec 100644 --- a/test/old/testdir/test_arglist.vim +++ b/test/old/testdir/test_arglist.vim @@ -776,7 +776,6 @@ func Test_crash_arglist_uaf() "%argdelete new one au BufAdd XUAFlocal :bw - "call assert_fails(':arglocal XUAFlocal', 'E163:') arglocal XUAFlocal au! BufAdd bw! XUAFlocal @@ -792,4 +791,15 @@ func Test_crash_arglist_uaf() au! BufAdd endfunc +" This was using freed memory again +func Test_crash_arglist_uaf2() + new + au BufAdd XUAFlocal :bw + arglocal XUAFlocal + redraw! + put ='abc' + 2# + au! BufAdd +endfunc + " vim: shiftwidth=2 sts=2 expandtab