From: Sean Dewar <6256228+seandewar@users.noreply.github.com>
Date: Tue, 3 Feb 2026 15:00:12 +0000 (+0000)
Subject: patch 9.1.2128: Heap use after free in buf_check_timestamp()
X-Git-Tag: v9.1.2128^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=392b428d1239e963020b73682cd03f17ffb538b3;p=thirdparty%2Fvim.git

patch 9.1.2128: Heap use after free in buf_check_timestamp()

Problem:  heap UAF if autocommands from reloading a file changed outside
          of Vim wipe its buffer.
Solution: Validate the bufref after buf_reload (Sean Dewar)

closes: #19317

Signed-off-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/fileio.c b/src/fileio.c
index e637ab397f..0a4ca648d8 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -4480,7 +4480,7 @@ buf_check_timestamp(
 	// Reload the buffer.
 	buf_reload(buf, orig_mode, reload == RELOAD_DETECT);
 #ifdef FEAT_PERSISTENT_UNDO
-	if (buf->b_p_udf && buf->b_ffname != NULL)
+	if (bufref_valid(&bufref) && buf->b_p_udf && buf->b_ffname != NULL)
 	{
 	    char_u	    hash[UNDO_HASH_SIZE];
 	    buf_T	    *save_curbuf = curbuf;
diff --git a/src/testdir/test_filechanged.vim b/src/testdir/test_filechanged.vim
index da517515ae..36503cfba0 100644
--- a/src/testdir/test_filechanged.vim
+++ b/src/testdir/test_filechanged.vim
@@ -279,4 +279,27 @@ func Test_FileChangedShell_newbuf()
   au! testnewbuf
 endfunc
 
+func Test_file_changed_wipeout()
+  call writefile(['foo'], 'Xchanged_bw', 'D')
+  edit Xchanged_bw
+  augroup FileChangedWipeout
+    autocmd FileChangedShell * ++once let v:fcs_choice = 'reload'
+    autocmd BufReadPost * ++once %bw!
+  augroup END
+
+  " Need to wait until the timestamp would change.
+  if has('nanotime')
+    sleep 10m
+  else
+    sleep 2
+  endif
+  call writefile(['bar'], 'Xchanged_bw')
+  call assert_equal(1, bufexists('Xchanged_bw'))
+  checktime " used to be a heap UAF
+  call assert_equal(0, bufexists('Xchanged_bw'))
+
+  au! FileChangedWipeout
+  %bw!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 7e44624ff8..c4b5960384 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2128,
 /**/
     2127,
 /**/