vim-patch:9.1.2023: [security]: Use-after-free in alist_add() with nasty autocmd

Problem: A BufAdd autocommand may cause alist_add() to use freed memory, this is caused by the w_locked variable unset too early (henices) Solution: in trigger_undo_ftplugin() only set w_locked to false, if it was false when calling the function. related: v9.1.0678 closes: vim/vim#19023 9266a2a197 Co-authored-by: Christian Brabandt <cb@256bit.org>
2026-02-22 18:30:39 +10:00 · 2026-01-14 09:42:36 +08:00
parent 328640aed0
commit 6fa2ebec6b
2 changed files with 13 additions and 2 deletions
--- a/test/old/testdir/test_arglist.vim
+++ b/test/old/testdir/test_arglist.vim
@@ -776,7 +776,6 @@ func Test_crash_arglist_uaf()
  "%argdelete
  new one
  au BufAdd XUAFlocal :bw
-  "call assert_fails(':arglocal XUAFlocal', 'E163:')
  arglocal XUAFlocal
  au! BufAdd
  bw! XUAFlocal
@@ -792,4 +791,15 @@ func Test_crash_arglist_uaf()
  au! BufAdd
 endfunc

+" This was using freed memory again
+func Test_crash_arglist_uaf2()
+  new
+  au BufAdd XUAFlocal :bw
+  arglocal XUAFlocal
+  redraw!
+  put ='abc'
+  2#
+  au! BufAdd
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab