From b3d291c5656085189e1ba65357119f16e2f5e9b0 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 16 Aug 2024 09:00:50 +0800 Subject: vim-patch:9.1.0678: [security]: use-after-free in alist_add() Problem: [security]: use-after-free in alist_add() (SuyueGuo) Solution: Lock the current window, so that the reference to the argument list remains valid. This fixes CVE-2024-43374 https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8 Co-authored-by: Christian Brabandt --- src/nvim/arglist.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/nvim/arglist.c') diff --git a/src/nvim/arglist.c b/src/nvim/arglist.c index e3a2db75e5..bb639edc07 100644 --- a/src/nvim/arglist.c +++ b/src/nvim/arglist.c @@ -203,6 +203,8 @@ void alist_set(alist_T *al, int count, char **files, int use_curbuf, int *fnum_l /// Add file "fname" to argument list "al". /// "fname" must have been allocated and "al" must have been checked for room. /// +/// May trigger Buf* autocommands +/// /// @param set_fnum 1: set buffer number; 2: re-use curbuf void alist_add(alist_T *al, char *fname, int set_fnum) { @@ -213,6 +215,7 @@ void alist_add(alist_T *al, char *fname, int set_fnum) return; } arglist_locked = true; + curwin->w_locked = true; #ifdef BACKSLASH_IN_FILENAME slash_adjust(fname); @@ -225,6 +228,7 @@ void alist_add(alist_T *al, char *fname, int set_fnum) al->al_ga.ga_len++; arglist_locked = false; + curwin->w_locked = false; } #if defined(BACKSLASH_IN_FILENAME) @@ -352,12 +356,14 @@ static void alist_add_list(int count, char **files, int after, bool will_edit) (size_t)(ARGCOUNT - after) * sizeof(aentry_T)); } arglist_locked = true; + curwin->w_locked = true; for (int i = 0; i < count; i++) { const int flags = BLN_LISTED | (will_edit ? BLN_CURBUF : 0); ARGLIST[after + i].ae_fname = files[i]; ARGLIST[after + i].ae_fnum = buflist_add(files[i], flags); } arglist_locked = false; + curwin->w_locked = false; ALIST(curwin)->al_ga.ga_len += count; if (old_argcount > 0 && curwin->w_arg_idx >= after) { curwin->w_arg_idx += count; -- cgit