git.ipfire.org Git - thirdparty/vim.git/commit

author	Sean Dewar <6256228+seandewar@users.noreply.github.com>
	Sat, 3 May 2025 16:37:27 +0000 (18:37 +0200)
committer	Christian Brabandt <cb@256bit.org>
	Sat, 3 May 2025 16:37:27 +0000 (18:37 +0200)
commit	6cb1c828406dcbb9b67ee788501b94f3a0bac88a
tree	43e4889b00b2adc95b10f93bb8b1df38d289500a	tree
parent	c3f48e3a76c61884d7801171ced327b76965bf29	commit \| diff

patch 9.1.1361: [security]: possible use-after-free when closing a buffer

Problem:  [security]: Possible to open more windows into a closing
          buffer without splitting, bypassing existing "b_locked_split"
          checks and triggering use-after-free
Solution: Disallow switching to a closing buffer. Editing a closing
          buffer (via ":edit", etc.) was fixed in v9.1.0764, but add an
          error message and check just "b_locked_split", as "b_locked"
          is necessary only when the buffer shouldn't be wiped, and may
          be set for buffers that are in-use but not actually closing.
          (Sean Dewar)

closes: #17246

Signed-off-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/buffer.c		diff \| blob \| blame \| history
src/errors.h		diff \| blob \| blame \| history
src/ex_cmds.c		diff \| blob \| blame \| history
src/proto/buffer.pro		diff \| blob \| blame \| history
src/structs.h		diff \| blob \| blame \| history
src/testdir/test_autocmd.vim		diff \| blob \| blame \| history
src/testdir/test_buffer.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history