Problem: A BufAdd autocommand may cause alist_add() to use freed
memory, this is caused by the w_locked variable unset too
early (henices)
Solution: in trigger_undo_ftplugin() only set w_locked to false, if it
was false when calling the function.
related: v9.1.0678
closes: #19023
Signed-off-by: Christian Brabandt <cb@256bit.org>
static void
trigger_undo_ftplugin(buf_T *buf, win_T *win)
{
+ int win_was_locked = win->w_locked;
window_layout_lock();
buf->b_locked++;
win->w_locked = TRUE;
do_cmdline_cmd((char_u*)"if exists('b:undo_ftplugin') | :legacy :exe \
b:undo_ftplugin | endif");
buf->b_locked--;
- win->w_locked = FALSE;
+ win->w_locked = win_was_locked;
window_layout_unlock();
}
"%argdelete
new one
au BufAdd XUAFlocal :bw
- "call assert_fails(':arglocal XUAFlocal', 'E163:')
arglocal XUAFlocal
au! BufAdd
bw! XUAFlocal
au! BufAdd
endfunc
+" This was using freed memory again
+func Test_crash_arglist_uaf2()
+ new
+ au BufAdd XUAFlocal :bw
+ arglocal XUAFlocal
+ redraw!
+ put ='abc'
+ 2#
+ au! BufAdd
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2023,
/**/
2022,
/**/
projects / 0xmirror / vim.git / commitdiff