alex/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2026-02-21 18:01:17 +10:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.1.2023: [security]: Use-after-free in alist_add() with nasty autocmd

Browse Source 
Problem:  A BufAdd autocommand may cause alist_add() to use freed
          memory, this is caused by the w_locked variable unset too
          early (henices)
Solution: in trigger_undo_ftplugin() only set w_locked to false, if it
          was false when calling the function.

related: v9.1.0678
closes: vim/vim#19023

9266a2a197

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq
2026-01-14 09:42:36 +08:00
parent 328640aed0
commit 6fa2ebec6b
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/nvim/buffer.c
View File

@@ -131,13 +131,14 @@ typedef enum {
static void trigger_undo_ftplugin(buf_T *buf, win_T *win)
{
const bool win_was_locked = win->w_locked;
window_layout_lock();
buf->b_locked++;
win->w_locked = true;
// b:undo_ftplugin may be set, undo it
do_cmdline_cmd("if exists('b:undo_ftplugin') | exe b:undo_ftplugin | endif");
buf->b_locked--;
win->w_locked = false;
win->w_locked = win_was_locked;
window_layout_unlock();
}