vim-patch:9.0.1857: [security] heap-use-after-free in is_qf_win()

Problem:  heap-use-after-free in is_qf_win()
Solution: Check buffer is valid before accessing it

https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed

Co-authored-by: Christian Brabandt <cb@256bit.org>

1 files changed, 1 insertions, 5 deletions

diff --git a/src/nvim/quickfix.c b/src/nvim/quickfix.c
index 19b34b52b4..2ddee313a3 100644
--- a/src/nvim/quickfix.c
+++ b/src/nvim/quickfix.c
@@ -262,10 +262,8 @@ static const char *e_current_location_list_was_changed =
 #define IS_QF_LIST(qfl)       ((qfl)->qfl_type == QFLT_QUICKFIX)
 #define IS_LL_LIST(qfl)       ((qfl)->qfl_type == QFLT_LOCATION)
 
-//
 // Return location list for window 'wp'
 // For location list window, return the referenced location list
-//
 #define GET_LOC_LIST(wp) (IS_LL_WINDOW(wp) ? (wp)->w_llist_ref : (wp)->w_llist)
 
 // Macro to loop through all the items in a quickfix list
@@ -3863,13 +3861,11 @@ static bool qf_win_pos_update(qf_info_T *qi, int old_qf_index)
 static int is_qf_win(const win_T *win, const qf_info_T *qi)
   FUNC_ATTR_NONNULL_ARG(2) FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT
 {
-  //
   // A window displaying the quickfix buffer will have the w_llist_ref field
   // set to NULL.
   // A window displaying a location list buffer will have the w_llist_ref
   // pointing to the location list.
-  //
-  if (bt_quickfix(win->w_buffer)) {
+  if (buf_valid(win->w_buffer) && bt_quickfix(win->w_buffer)) {
     if ((IS_QF_STACK(qi) && win->w_llist_ref == NULL)
         || (IS_LL_STACK(qi) && win->w_llist_ref == qi)) {
       return true;