fix(autocmd): heap UAF with :bwipe in Syntax autocmd

Problem: Creating an autocommand which executes `:bwipe` on the Syntax event causes a heap-use-after-free. Solution: set BF_SYN_SET flag before applying autocommands (cherry picked from commit f36dd7557a)
2026-02-21 09:50:19 +10:00 · 2026-01-18 17:19:30 +01:00
parent 6ef1b655fe
commit a512d43716
2 changed files with 10 additions and 1 deletions
--- a/src/nvim/option.c
+++ b/src/nvim/option.c
@@ -2726,11 +2726,11 @@ static void do_syntax_autocmd(buf_T *buf, bool value_changed)
  static int syn_recursive = 0;

  syn_recursive++;
+  buf->b_flags |= BF_SYN_SET;
  // Only pass true for "force" when the value changed or not used
  // recursively, to avoid endless recurrence.
  apply_autocmds(EVENT_SYNTAX, buf->b_p_syn, buf->b_fname,
                 value_changed || syn_recursive == 1, buf);
-  buf->b_flags |= BF_SYN_SET;
  syn_recursive--;
 }

--- a/test/functional/autocmd/autocmd_spec.lua
+++ b/test/functional/autocmd/autocmd_spec.lua
@@ -716,6 +716,15 @@ describe('autocmd', function()
    ]]
  end)

+  it('no use-after-free when wiping buffer in Syntax autocommand', function()
+    exec([[
+      new
+      autocmd Syntax * ++once bwipe!
+      setlocal syntax=vim
+    ]])
+    assert_alive()
+  end)
+
  it('no use-after-free from win_enter autocommands in win_move_after', function()
    exec [[
      split foo