patch 9.1.0678: [security]: use-after-free in alist_add() Problem: [security]: use-after-free in alist_add() (SuyueGuo) Solution: Lock the current window, so that the reference to the argument list remains valid. This fixes CVE-2024-43374 Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: 0a6e57b09bc8c76691b367a5babfb79b31b770e8 [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Thu Aug 15 22:15:28 2024 +0200
committer: Christian Brabandt <cb@256bit.org> Thu Aug 15 22:15:28 2024 +0200
tree: 03442904cdd3bd40c7748a313f9cb66a3d6c3bbf
parent: 3b59be4ed8a145d3188934f1a5cd85432bd2433d [diff] [blame]
diff --git a/src/buffer.c b/src/buffer.c
index 447ce76..34500e4 100644
--- a/src/buffer.c
+++ b/src/buffer.c

@@ -1484,7 +1484,7 @@
 	// (unless it's the only window).  Repeat this so long as we end up in
 	// a window with this buffer.
 	while (buf == curbuf
-		   && !(curwin->w_closing || curwin->w_buffer->b_locked > 0)
+		   && !(win_locked(curwin) || curwin->w_buffer->b_locked > 0)
 		   && (!ONE_WINDOW || first_tabpage->tp_next != NULL))
 	{
 	    if (win_close(curwin, FALSE) == FAIL)
@@ -5470,7 +5470,7 @@
 			    : wp->w_width != Columns)
 			|| (had_tab > 0 && wp != firstwin))
 		    && !ONE_WINDOW
-		    && !(wp->w_closing || wp->w_buffer->b_locked > 0)
+		    && !(win_locked(wp) || wp->w_buffer->b_locked > 0)
 		    && !win_unlisted(wp))
 	    {
 		if (win_close(wp, FALSE) == FAIL)
commit	0a6e57b09bc8c76691b367a5babfb79b31b770e8	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Thu Aug 15 22:15:28 2024 +0200
committer	Christian Brabandt <cb@256bit.org>	Thu Aug 15 22:15:28 2024 +0200
tree	03442904cdd3bd40c7748a313f9cb66a3d6c3bbf
parent	3b59be4ed8a145d3188934f1a5cd85432bd2433d [diff] [blame]