From 25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Tue, 14 Nov 2023 19:31:34 +0100
Subject: [PATCH] patch 9.0.2106: [security]: Use-after-free in win_close()

Problem:  [security]: Use-after-free in win_close()
Solution: Check window is valid, before accessing it

If the current window structure is no longer valid (because a previous
autocommand has already freed this window), fail and return before
attempting to set win->w_closing variable.

Add a test to trigger ASAN in CI

Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/testdir/crash/poc1     | Bin 0 -> 3264 bytes
 src/testdir/test_crash.vim |  33 +++++++++++++++++++++++++++++++++
 src/version.c              |   2 ++
 src/window.c               |   2 ++
 4 files changed, 37 insertions(+)
 create mode 100644 src/testdir/crash/poc1

diff --git a/src/testdir/crash/poc1 b/src/testdir/crash/poc1
new file mode 100644
index 0000000000000000000000000000000000000000..ec223f16b8803b676e4c47620190a77f13a18e93
GIT binary patch
literal 3264
zc-rk&O=uHA6rM<P=u4}kh4@3oX^^I^X<32?o7PeVs}THakOpk2+w3Hb>`%M9u|<@`
zLlM(TJ&Jl04C=*0y$U_)C5Ilodlv*zXz68rvs-Ig+xkP$3Vx8?H#6UxdEd<JM|2~r
zS!0r=8`7bEn98b>ZkW2!I4cz-zyWZfBTMR+_O37^E;D6lnyfdq>#~_S-o}!Aa?E7i
znxR-dDxd7eUaJS>oNcg^xpY65l?x_kZH!OykR^v$$0j-RBBz5-ZjCWnS6V{d@<=Y-
z6KZ9UzQU4Xt(2w=r$%Kx!_}-cDx0m4l2tZgW_x)$tMZo1;iSziTg1`W(b&;&ED}y~
z(+sx)V_eBH(Ezuua1vP$T-Mf7cMu22$O0I2X-?n;{$9;_Xl`zfEzr96=>gtE5g){Z
zP57SAs)K{QpSt3mp$O*|Ex#+5%Y)zH9&O}TX`M)tC~aAOQ%~tWT*!Yu5(Zq7(WP@3
zF@i^AYB3pkb#ylqe0ug<+~#)Bh>v<hbevM0sZQi<ymoDELm`-{72J9+<se<&g|D3n
z7gi$iQDJdrOG5=lnw|kQ8We(M^u@uRu2CPUD&Tk&A9*4ouq82i5#MLXE#eMDfuH7%
zk26&VRqs$oIZGU7mGIJT_QkDkusE}BUQ&vq#bWVkv3TMDX@_=l%2n?72Q~kZ;KQz9
z(65raGcW)dUI|d9f%U$nL@_}z0}d3N8{7xffgCvZ9Bi{*1sk7J&Y%x64*+S?Q5Zl8
zAHC{_RyEG{#fcB!Q`0s4j;piN(`idEjNDQM2qCoe$AMLnU*RtkvRtjTU$1LFU9%bN
z2ic^sTKVIuZpjOlSz6yW|4TF6FZ~6~RR3;>+uT3I+^;qPcHqB>RK-LVVH`}&w+JV`
z23b|iYHG)>OHSSixFDp41S+sU5U>dm>V@h(LOt#V0q$_e%vWe)sL46hhH^Z?=89lj
zs@yj`Pmzz?6(!hP@|+8sYc?0%YlY~N5F4ERZTExqk>9yvFMs3&i2Qnw+T2xtr-V0O
ugN0QToNJr&pZwIU+s4ix{u_2)f$ePPBwzYhvAykl<G)%Tz%#!p*!dT<=Ec<j

literal 0
Hc-jL100001

diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 5cd07e2a3f..b093b053c5 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -110,6 +110,39 @@ func Test_crash1()
   call delete('X_crash1_result.txt')
 endfunc
 
+func Test_crash1_2()
+  CheckNotBSD
+  CheckExecutable dash
+
+  " The following used to crash Vim
+  let opts = #{cmd: 'sh'}
+  let vim  = GetVimProg()
+  let result = 'X_crash1_1_result.txt'
+
+  let buf = RunVimInTerminal('sh', opts)
+
+  let file = 'crash/poc1'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  && echo "crash 1: [OK]" > '.. result .. "\<cr>")
+  call TermWait(buf, 150)
+
+  " clean up
+  exe buf .. "bw!"
+
+  exe "sp " .. result
+
+  let expected = [
+      \ 'crash 1: [OK]',
+      \ ]
+
+  call assert_equal(expected, getline(1, '$'))
+  bw!
+
+  call delete(result)
+endfunc
+
 func Test_crash2()
   " The following used to crash Vim
   let opts = #{wait_for_ruler: 0, rows: 20}
diff --git a/src/version.c b/src/version.c
index f9d1593c0d..ec021985f2 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2106,
 /**/
     2105,
 /**/
diff --git a/src/window.c b/src/window.c
index f77ede330d..55ce31c886 100644
--- a/src/window.c
+++ b/src/window.c
@@ -2682,6 +2682,8 @@ win_close(win_T *win, int free_buf)
 	    reset_VIsual_and_resel();	// stop Visual mode
 
 	    other_buffer = TRUE;
+	    if (!win_valid(win))
+		return FAIL;
 	    win->w_closing = TRUE;
 	    apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf);
 	    if (!win_valid(win))
-- 
2.47.3