From b3d291c5656085189e1ba65357119f16e2f5e9b0 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 16 Aug 2024 09:00:50 +0800
Subject: vim-patch:9.1.0678: [security]: use-after-free in alist_add()

Problem:  [security]: use-after-free in alist_add()
          (SuyueGuo)
Solution: Lock the current window, so that the reference to
          the argument list remains valid.

This fixes CVE-2024-43374

https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 test/old/testdir/test_arglist.vim | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'test')

diff --git a/test/old/testdir/test_arglist.vim b/test/old/testdir/test_arglist.vim
index ebda332562..952b121aed 100644
--- a/test/old/testdir/test_arglist.vim
+++ b/test/old/testdir/test_arglist.vim
@@ -360,6 +360,7 @@ func Test_argv()
   call assert_equal('', argv(1, 100))
   call assert_equal([], argv(-1, 100))
   call assert_equal('', argv(10, -1))
+  %argdelete
 endfunc
 
 " Test for the :argedit command
@@ -744,4 +745,26 @@ func Test_all_command()
   %bw!
 endfunc
 
+" Test for deleting buffer when creating an arglist. This was accessing freed
+" memory
+func Test_crash_arglist_uaf()
+  "%argdelete
+  new one
+  au BufAdd XUAFlocal :bw
+  "call assert_fails(':arglocal XUAFlocal', 'E163:')
+  arglocal XUAFlocal
+  au! BufAdd
+  bw! XUAFlocal
+
+  au BufAdd XUAFlocal2 :bw
+  new two
+  new three
+  arglocal
+  argadd XUAFlocal2 Xfoobar
+  bw! XUAFlocal2
+  bw! two
+
+  au! BufAdd
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
-- 
cgit