From: Christian Brabandt <cb@256bit.org>
Date: Sat, 27 Dec 2025 14:10:37 +0000 (+0000)
Subject: patch 9.1.2023: [security]: Use-after-free in alist_add() with nasty autocmd
X-Git-Tag: v9.1.2023^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9266a2a19790dd3485b1dd32b3e27ba1d93e33d0;p=thirdparty%2Fvim.git

patch 9.1.2023: [security]: Use-after-free in alist_add() with nasty autocmd

Problem:  A BufAdd autocommand may cause alist_add() to use freed
          memory, this is caused by the w_locked variable unset too
          early (henices)
Solution: in trigger_undo_ftplugin() only set w_locked to false, if it
          was false when calling the function.

related: v9.1.0678
closes: #19023

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/buffer.c b/src/buffer.c
index 0ed61a7032..52aa13de21 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -75,6 +75,7 @@ static garray_T buf_reuse = GA_EMPTY;	// file numbers to recycle
     static void
 trigger_undo_ftplugin(buf_T *buf, win_T *win)
 {
+    int win_was_locked = win->w_locked;
     window_layout_lock();
     buf->b_locked++;
     win->w_locked = TRUE;
@@ -82,7 +83,7 @@ trigger_undo_ftplugin(buf_T *buf, win_T *win)
     do_cmdline_cmd((char_u*)"if exists('b:undo_ftplugin') | :legacy :exe \
 	    b:undo_ftplugin | endif");
     buf->b_locked--;
-    win->w_locked = FALSE;
+    win->w_locked = win_was_locked;
     window_layout_unlock();
 }
 
diff --git a/src/testdir/test_arglist.vim b/src/testdir/test_arglist.vim
index 2a76ca6515..ed3ea718c2 100644
--- a/src/testdir/test_arglist.vim
+++ b/src/testdir/test_arglist.vim
@@ -772,7 +772,6 @@ func Test_crash_arglist_uaf()
   "%argdelete
   new one
   au BufAdd XUAFlocal :bw
-  "call assert_fails(':arglocal XUAFlocal', 'E163:')
   arglocal XUAFlocal
   au! BufAdd
   bw! XUAFlocal
@@ -788,4 +787,15 @@ func Test_crash_arglist_uaf()
   au! BufAdd
 endfunc
 
+" This was using freed memory again
+func Test_crash_arglist_uaf2()
+  new
+  au BufAdd XUAFlocal :bw
+  arglocal XUAFlocal
+  redraw!
+  put ='abc'
+  2#
+  au! BufAdd
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index c88bff30ab..fad0bdd585 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2023,
 /**/
     2022,
 /**/