patch 9.1.0764: [security]: use-after-free when closing a buffer Problem: [security]: use-after-free when closing a buffer Solution: When splitting the window and editing a new buffer, check whether the newly to be edited buffer has been marked for deletion and abort in this case Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: 51b62387be93c65fa56bbabe1c3c1ea5df187641 [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Sun Oct 06 17:31:10 2024 +0200
committer: Christian Brabandt <cb@256bit.org> Sun Oct 06 17:36:31 2024 +0200
tree: 7201c63085dac1cc24b07d3e67a0040b4abd6858
parent: 818c641b6fac73b574a2b760213f515cee9a3c8e [diff] [blame]
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index fc6f377..31ebc1b 100644
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim

@@ -4883,4 +4883,23 @@
   endtry
 endfunc
 
+" This was using freed memory
+func Test_autocmd_BufWinLeave_with_vsp()
+  new
+  let fname = 'XXXBufWinLeaveUAF.txt'
+  let dummy = 'XXXDummy.txt'
+  call writefile([], fname)
+  call writefile([], dummy)
+  defer delete(fname)
+  defer delete(dummy)
+  exe "e " fname
+  vsp
+  augroup testing
+    exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
+  augroup END
+  bw
+  call CleanUpTestAuGroup()
+  exe "bw! " .. dummy
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
commit	51b62387be93c65fa56bbabe1c3c1ea5df187641	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Sun Oct 06 17:31:10 2024 +0200
committer	Christian Brabandt <cb@256bit.org>	Sun Oct 06 17:36:31 2024 +0200
tree	7201c63085dac1cc24b07d3e67a0040b4abd6858
parent	818c641b6fac73b574a2b760213f515cee9a3c8e [diff] [blame]