commit f36dd7557a98e2071f607b0859ccc632b58ccc87
parent 5a6532168443e479143c84aa42a5ac17d4c5db63
Author: Emanuel Krollmann <E.Krollmann@protonmail.com>
Date: Sun, 18 Jan 2026 17:19:30 +0100
fix(autocmd): heap UAF with :bwipe in Syntax autocmd
Problem:
Creating an autocommand which executes `:bwipe` on the Syntax event
causes a heap-use-after-free.
Solution: set BF_SYN_SET flag before applying autocommands
Diffstat:
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/nvim/option.c b/src/nvim/option.c
@@ -2715,11 +2715,11 @@ static void do_syntax_autocmd(buf_T *buf, bool value_changed)
static int syn_recursive = 0;
syn_recursive++;
+ buf->b_flags |= BF_SYN_SET;
// Only pass true for "force" when the value changed or not used
// recursively, to avoid endless recurrence.
apply_autocmds(EVENT_SYNTAX, buf->b_p_syn, buf->b_fname,
value_changed || syn_recursive == 1, buf);
- buf->b_flags |= BF_SYN_SET;
syn_recursive--;
}
diff --git a/test/functional/autocmd/autocmd_spec.lua b/test/functional/autocmd/autocmd_spec.lua
@@ -716,6 +716,15 @@ describe('autocmd', function()
]]
end)
+ it('no use-after-free when wiping buffer in Syntax autocommand', function()
+ exec([[
+ new
+ autocmd Syntax * ++once bwipe!
+ setlocal syntax=vim
+ ]])
+ assert_alive()
+ end)
+
it('no use-after-free from win_enter autocommands in win_move_after', function()
exec [[
split foo
