vim-patch:9.0.2010: [security] use-after-free from buf_contents_changed()

Problem:  [security] use-after-free from buf_contents_changed()
Solution: block autocommands

https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d

Co-authored-by: Christian Brabandt <cb@256bit.org>

3 files changed, 15 insertions, 0 deletions

diff --git a/src/nvim/buffer.c b/src/nvim/buffer.c
index 6617907f8f..6d5c7a1766 100644
--- a/src/nvim/buffer.c
+++ b/src/nvim/buffer.c
@@ -4223,6 +4223,10 @@ bool buf_contents_changed(buf_T *buf)
   aco_save_T aco;
   aucmd_prepbuf(&aco, newbuf);
 
+  // We don't want to trigger autocommands now, they may have nasty
+  // side-effects like wiping buffers
+  block_autocmds();
+
   if (ml_open(curbuf) == OK
       && readfile(buf->b_ffname, buf->b_fname,
                   0, 0, (linenr_T)MAXLNUM,
@@ -4247,6 +4251,8 @@ bool buf_contents_changed(buf_T *buf)
     wipe_buffer(newbuf, false);
   }
 
+  unblock_autocmds();
+
   return differ;
 }
 
diff --git a/test/old/testdir/crash/editing_arg_idx_POC_1 b/test/old/testdir/crash/editing_arg_idx_POC_1
new file mode 100644
index 0000000000..5d048d0340
--- /dev/null
+++ b/test/old/testdir/crash/editing_arg_idx_POC_1
diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim
index 9a80340c28..5cd07e2a3f 100644
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@@ -78,6 +78,14 @@ func Test_crash1()
     \ '  && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\<cr>")
   call TermWait(buf, 1000)
 
+  let file = 'crash/editing_arg_idx_POC_1'
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  || echo "crash 10: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+  call TermWait(buf, 1000)
+  call delete('Xerr')
+  call delete('@')
+
   " clean up
   exe buf .. "bw!"
 
@@ -93,6 +101,7 @@ func Test_crash1()
       \ 'crash 7: [OK]',
       \ 'crash 8: [OK]',
       \ 'crash 9: [OK]',
+      \ 'crash 10: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))