patch 9.1.2128: Heap use after free in buf_check_timestamp()

author Sean Dewar <6256228+seandewar@users.noreply.github.com>

Tue, 3 Feb 2026 15:00:12 +0000 (15:00 +0000)

committer Christian Brabandt <cb@256bit.org>

Tue, 3 Feb 2026 15:00:12 +0000 (15:00 +0000)
author Sean Dewar <6256228+seandewar@users.noreply.github.com>
Tue, 3 Feb 2026 15:00:12 +0000 (15:00 +0000)
committer Christian Brabandt <cb@256bit.org>
Tue, 3 Feb 2026 15:00:12 +0000 (15:00 +0000)
diff --git a/src/fileio.c b/src/fileio.c

index e637ab397f1f73c2e8fe1be12bde549aa8b9767f..0a4ca648d8aea3a9aa41d956a289f10f834a66ec 100644 (file)
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -4480,7 +4480,7 @@ buf_check_timestamp(
         // Reload the buffer.
         buf_reload(buf, orig_mode, reload == RELOAD_DETECT);
  #ifdef FEAT_PERSISTENT_UNDO
-       if (buf->b_p_udf && buf->b_ffname != NULL)
+       if (bufref_valid(&bufref) && buf->b_p_udf && buf->b_ffname != NULL)
         {
             char_u          hash[UNDO_HASH_SIZE];
             buf_T           *save_curbuf = curbuf;
diff --git a/src/testdir/test_filechanged.vim b/src/testdir/test_filechanged.vim

index da517515ae3502add383a01abc8b0c8755e5eeee..36503cfba07c666e27c0c5d3ff96ea60607fe8ad 100644 (file)
--- a/src/testdir/test_filechanged.vim
+++ b/src/testdir/test_filechanged.vim
@@ -279,4 +279,27 @@ func Test_FileChangedShell_newbuf()
    au! testnewbuf
  endfunc
  
+func Test_file_changed_wipeout()
+  call writefile(['foo'], 'Xchanged_bw', 'D')
+  edit Xchanged_bw
+  augroup FileChangedWipeout
+    autocmd FileChangedShell * ++once let v:fcs_choice = 'reload'
+    autocmd BufReadPost * ++once %bw!
+  augroup END
+
+  " Need to wait until the timestamp would change.
+  if has('nanotime')
+    sleep 10m
+  else
+    sleep 2
+  endif
+  call writefile(['bar'], 'Xchanged_bw')
+  call assert_equal(1, bufexists('Xchanged_bw'))
+  checktime " used to be a heap UAF
+  call assert_equal(0, bufexists('Xchanged_bw'))
+
+  au! FileChangedWipeout
+  %bw!
+endfunc
+
  " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c

index 7e44624ff8c3b76b302b35818ef3548d482c82cc..c4b5960384b592e88731595fbbba1be4c6ebe054 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    2128,
  /**/
      2127,
  /**/
author	Sean Dewar <6256228+seandewar@users.noreply.github.com>
	Tue, 3 Feb 2026 15:00:12 +0000 (15:00 +0000)
committer	Christian Brabandt <cb@256bit.org>
	Tue, 3 Feb 2026 15:00:12 +0000 (15:00 +0000)
src/fileio.c		patch \| blob \| blame \| history
src/testdir/test_filechanged.vim		patch \| blob \| blame \| history
src/version.c		patch \| blob \| blame \| history