vim-patch:9.1.1361: [security]: possible use-after-free when closing a buffer (#33820)

Problem: [security]: Possible to open more windows into a closing buffer without splitting, bypassing existing "b_locked_split" checks and triggering use-after-free Solution: Disallow switching to a closing buffer. Editing a closing buffer (via ":edit", etc.) was fixed in v9.1.0764, but add an error message and check just "b_locked_split", as "b_locked" is necessary only when the buffer shouldn't be wiped, and may be set for buffers that are in-use but not actually closing. (Sean Dewar) closes: vim/vim#17246 6cb1c82840 (cherry picked from commit 627c648252)
2025-10-07 02:16:31 +00:00 · 2025-05-04 03:15:51 +01:00
parent bdd8498ed7
commit 9965cfb84c
7 changed files with 56 additions and 16 deletions
--- a/test/functional/api/window_spec.lua
+++ b/test/functional/api/window_spec.lua
@@ -1769,10 +1769,10 @@ describe('API/win', function()
        pcall_err(api.nvim_win_close, w, true)
      )

-      -- OK when using window to different buffer than `win`s.
+      -- OK when using a buffer that isn't closing.
      w = api.nvim_get_current_win()
      command(
-        'only | autocmd BufHidden * ++once call nvim_open_win(0, 0, #{split: "left", win: '
+        'only | autocmd BufHidden * ++once call nvim_open_win(bufnr("#"), 0, #{split: "left", win: '
          .. w
          .. '})'
      )