vim-patch:9.1.0678: [security]: use-after-free in alist_add()

Problem: [security]: use-after-free in alist_add() (SuyueGuo) Solution: Lock the current window, so that the reference to the argument list remains valid. This fixes CVE-2024-43374 0a6e57b09b Co-authored-by: Christian Brabandt <cb@256bit.org>
2026-01-05 21:07:44 +00:00 · 2024-08-16 09:00:50 +08:00
parent 8b8096500d
commit b3d291c565
6 changed files with 50 additions and 18 deletions
--- a/src/nvim/arglist.c
+++ b/src/nvim/arglist.c
@@ -203,6 +203,8 @@ void alist_set(alist_T *al, int count, char **files, int use_curbuf, int *fnum_l
 /// Add file "fname" to argument list "al".
 /// "fname" must have been allocated and "al" must have been checked for room.
 ///
+/// May trigger Buf* autocommands
+///
 /// @param set_fnum  1: set buffer number; 2: re-use curbuf
 void alist_add(alist_T *al, char *fname, int set_fnum)
 {
@@ -213,6 +215,7 @@ void alist_add(alist_T *al, char *fname, int set_fnum)
    return;
  }
  arglist_locked = true;
+  curwin->w_locked = true;

 #ifdef BACKSLASH_IN_FILENAME
  slash_adjust(fname);
@@ -225,6 +228,7 @@ void alist_add(alist_T *al, char *fname, int set_fnum)
  al->al_ga.ga_len++;

  arglist_locked = false;
+  curwin->w_locked = false;
 }

 #if defined(BACKSLASH_IN_FILENAME)
@@ -352,12 +356,14 @@ static void alist_add_list(int count, char **files, int after, bool will_edit)
              (size_t)(ARGCOUNT - after) * sizeof(aentry_T));
    }
    arglist_locked = true;
+    curwin->w_locked = true;
    for (int i = 0; i < count; i++) {
      const int flags = BLN_LISTED | (will_edit ? BLN_CURBUF : 0);
      ARGLIST[after + i].ae_fname = files[i];
      ARGLIST[after + i].ae_fnum = buflist_add(files[i], flags);
    }
    arglist_locked = false;
+    curwin->w_locked = false;
    ALIST(curwin)->al_ga.ga_len += count;
    if (old_argcount > 0 && curwin->w_arg_idx >= after) {
      curwin->w_arg_idx += count;