From 087ef5299789123aa40e44937ef9bc31d49fd085 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Sun, 3 Sep 2023 11:15:43 +0800
Subject: vim-patch:9.0.1840: [security] use-after-free in do_ecmd (#24993)

Problem:  use-after-free in do_ecmd
Solution: Verify oldwin pointer after reset_VIsual()

https://github.com/vim/vim/commit/e1dc9a627536304bc4f738c21e909ad9fcf3974c

N/A patches for version.c:
vim-patch:9.0.1841: style: trailing whitespace in ex_cmds.c

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 src/nvim/ex_cmds.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src')

diff --git a/src/nvim/ex_cmds.c b/src/nvim/ex_cmds.c
index 494ebce370..82ebf1871a 100644
--- a/src/nvim/ex_cmds.c
+++ b/src/nvim/ex_cmds.c
@@ -2230,8 +2230,16 @@ int do_ecmd(int fnum, char *ffname, char *sfname, exarg_T *eap, linenr_T newlnum
 
   // End Visual mode before switching to another buffer, so the text can be
   // copied into the GUI selection buffer.
+  // Careful: may trigger ModeChanged() autocommand
+
+  // Should we block autocommands here?
   reset_VIsual();
 
+  // autocommands freed window :(
+  if (oldwin != NULL && !win_valid(oldwin)) {
+    oldwin = NULL;
+  }
+
   if ((command != NULL || newlnum > (linenr_T)0)
       && *get_vim_var_str(VV_SWAPCOMMAND) == NUL) {
     // Set v:swapcommand for the SwapExists autocommands.
-- 
cgit