diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2024-08-16 09:00:50 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2024-08-17 06:04:52 +0800 |
| commit | b3d291c5656085189e1ba65357119f16e2f5e9b0 (patch) | |
| tree | b49afe5c2b1ac440ec6ba5b0fdcb82bb32e4740c /src/nvim/buffer.c | |
| parent | 8b8096500d08d771a936d8ceca25ef5716c3874f (diff) | |
| download | rneovim-b3d291c5656085189e1ba65357119f16e2f5e9b0.tar.gz rneovim-b3d291c5656085189e1ba65357119f16e2f5e9b0.tar.bz2 rneovim-b3d291c5656085189e1ba65357119f16e2f5e9b0.zip | |
vim-patch:9.1.0678: [security]: use-after-free in alist_add()
Problem: [security]: use-after-free in alist_add()
(SuyueGuo)
Solution: Lock the current window, so that the reference to
the argument list remains valid.
This fixes CVE-2024-43374
https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/nvim/buffer.c')
| -rw-r--r-- | src/nvim/buffer.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/nvim/buffer.c b/src/nvim/buffer.c index ab648708fc..f986f558a9 100644 --- a/src/nvim/buffer.c +++ b/src/nvim/buffer.c @@ -1379,7 +1379,7 @@ static int do_buffer_ext(int action, int start, int dir, int count, int flags) // When the autocommand window is involved win_close() may need to print an error message. // Repeat this so long as we end up in a window with this buffer. while (buf == curbuf - && !(curwin->w_closing || curwin->w_buffer->b_locked > 0) + && !(win_locked(curwin) || curwin->w_buffer->b_locked > 0) && (is_aucmd_win(lastwin) || !last_window(curwin))) { if (win_close(curwin, false, false) == FAIL) { break; @@ -3644,7 +3644,7 @@ void ex_buffer_all(exarg_T *eap) : wp->w_width != Columns) || (had_tab > 0 && wp != firstwin)) && !ONE_WINDOW - && !(wp->w_closing || wp->w_buffer->b_locked > 0) + && !(win_locked(curwin) || wp->w_buffer->b_locked > 0) && !is_aucmd_win(wp)) { if (win_close(wp, false, false) == FAIL) { break; |