commit d49be1cd2893ad583361ac058279a471ad7877e5
parent b6200fbdf2035b09abfc0f94fba9c432bc0b9245
Author: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 17 Nov 2023 09:42:59 +0800
vim-patch:9.0.2010: [security] use-after-free from buf_contents_changed()
Problem: [security] use-after-free from buf_contents_changed()
Solution: block autocommands
https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat:
3 files changed, 15 insertions(+), 0 deletions(-)
diff --git a/src/nvim/buffer.c b/src/nvim/buffer.c
@@ -4223,6 +4223,10 @@ bool buf_contents_changed(buf_T *buf)
aco_save_T aco;
aucmd_prepbuf(&aco, newbuf);
+ // We don't want to trigger autocommands now, they may have nasty
+ // side-effects like wiping buffers
+ block_autocmds();
+
if (ml_open(curbuf) == OK
&& readfile(buf->b_ffname, buf->b_fname,
0, 0, (linenr_T)MAXLNUM,
@@ -4247,6 +4251,8 @@ bool buf_contents_changed(buf_T *buf)
wipe_buffer(newbuf, false);
}
+ unblock_autocmds();
+
return differ;
}
diff --git a/test/old/testdir/crash/editing_arg_idx_POC_1 b/test/old/testdir/crash/editing_arg_idx_POC_1
Binary files differ.
diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim
@@ -78,6 +78,14 @@ func Test_crash1()
\ ' && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\<cr>")
call TermWait(buf, 1000)
+ let file = 'crash/editing_arg_idx_POC_1'
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args ..
+ \ ' || echo "crash 10: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+ call TermWait(buf, 1000)
+ call delete('Xerr')
+ call delete('@')
+
" clean up
exe buf .. "bw!"
@@ -93,6 +101,7 @@ func Test_crash1()
\ 'crash 7: [OK]',
\ 'crash 8: [OK]',
\ 'crash 9: [OK]',
+ \ 'crash 10: [OK]',
\ ]
call assert_equal(expected, getline(1, '$'))
