From d49be1cd2893ad583361ac058279a471ad7877e5 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 17 Nov 2023 09:42:59 +0800
Subject: [PATCH] vim-patch:9.0.2010: [security] use-after-free from
 buf_contents_changed()

Problem:  [security] use-after-free from buf_contents_changed()
Solution: block autocommands

https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 src/nvim/buffer.c                            |   6 ++++++
 test/old/testdir/crash/editing_arg_idx_POC_1 | Bin 0 -> 398 bytes
 test/old/testdir/test_crash.vim              |   9 +++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 test/old/testdir/crash/editing_arg_idx_POC_1

diff --git a/src/nvim/buffer.c b/src/nvim/buffer.c
index 6617907f8f..6d5c7a1766 100644
--- a/src/nvim/buffer.c
+++ b/src/nvim/buffer.c
@@ -4223,6 +4223,10 @@ bool buf_contents_changed(buf_T *buf)
   aco_save_T aco;
   aucmd_prepbuf(&aco, newbuf);
 
+  // We don't want to trigger autocommands now, they may have nasty
+  // side-effects like wiping buffers
+  block_autocmds();
+
   if (ml_open(curbuf) == OK
       && readfile(buf->b_ffname, buf->b_fname,
                   0, 0, (linenr_T)MAXLNUM,
@@ -4247,6 +4251,8 @@ bool buf_contents_changed(buf_T *buf)
     wipe_buffer(newbuf, false);
   }
 
+  unblock_autocmds();
+
   return differ;
 }
 
diff --git a/test/old/testdir/crash/editing_arg_idx_POC_1 b/test/old/testdir/crash/editing_arg_idx_POC_1
new file mode 100644
index 0000000000000000000000000000000000000000..5d048d03405a31e268f30950dc11d9dc767103de
GIT binary patch
literal 398
zcmYe!&&^HDQ`F5%EK0Z4Qiw>cC@4~}$<0qGw#!Ma`2W8sz1WT`v9u&#!KpMYC^a!9
zpeR*AOChx)RjD{nNkLC9wW1&~FGWMiCNZfr%}z;Efh#RRAp)dB3j~sLQ{s~|67$ki
zb25uF5{opsk`r?n%8N2fQqwYXQZ=I0BT7<>OVXeq3`(b^X>utjq^4vlM5GoKae<ws
z9+8%rGt0=z#47)+LJ$K(16OfojzL~=szQ5yQLX_)Jy&sNh(TUzg-s&J)uJFbAi0_m
z;c5nkycCd2)4xJon*1CETzdZeImDp~C=N9NIW#jT732gH^;jKsklWO;IkY4(DG%hP
bAOo)Q0tc=<6VzZ92m1#W%=tyRVo=opgL#j6

literal 0
HcmV?d00001

diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim
index 9a80340c28..5cd07e2a3f 100644
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@@ -78,6 +78,14 @@ func Test_crash1()
     \ '  && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\<cr>")
   call TermWait(buf, 1000)
 
+  let file = 'crash/editing_arg_idx_POC_1'
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  || echo "crash 10: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+  call TermWait(buf, 1000)
+  call delete('Xerr')
+  call delete('@')
+
   " clean up
   exe buf .. "bw!"
 
@@ -93,6 +101,7 @@ func Test_crash1()
       \ 'crash 7: [OK]',
       \ 'crash 8: [OK]',
       \ 'crash 9: [OK]',
+      \ 'crash 10: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))