patch 9.1.1361: [security]: possible use-after-free when closing a buffer
Problem: [security]: Possible to open more windows into a closing
buffer without splitting, bypassing existing "b_locked_split"
checks and triggering use-after-free
Solution: Disallow switching to a closing buffer. Editing a closing
buffer (via ":edit", etc.) was fixed in v9.1.0764, but add an
error message and check just "b_locked_split", as "b_locked"
is necessary only when the buffer shouldn't be wiped, and may
be set for buffers that are in-use but not actually closing.
(Sean Dewar)
closes: #17246
Signed-off-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/buffer.c b/src/buffer.c
index 697efa3..b4481b2 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -526,12 +526,6 @@
return can_unload;
}
- int
-buf_locked(buf_T *buf)
-{
- return buf->b_locked || buf->b_locked_split;
-}
-
/*
* Close the link to a buffer.
* "action" is used when there is no longer a window for the buffer.
@@ -1432,12 +1426,19 @@
if ((flags & DOBUF_NOPOPUP) && bt_popup(buf) && !bt_terminal(buf))
return OK;
#endif
- if (
- action == DOBUF_GOTO
- && buf != curbuf
- && !check_can_set_curbuf_forceit((flags & DOBUF_FORCEIT) ? TRUE : FALSE))
- // disallow navigating to another buffer when 'winfixbuf' is applied
- return FAIL;
+ if (action == DOBUF_GOTO && buf != curbuf)
+ {
+ if (!check_can_set_curbuf_forceit((flags & DOBUF_FORCEIT) != 0))
+ // disallow navigating to another buffer when 'winfixbuf' is applied
+ return FAIL;
+ if (buf->b_locked_split)
+ {
+ // disallow navigating to a closing buffer, which like splitting,
+ // can result in more windows displaying it
+ emsg(_(e_cannot_switch_to_a_closing_buffer));
+ return FAIL;
+ }
+ }
if ((action == DOBUF_GOTO || action == DOBUF_SPLIT)
&& (buf->b_flags & BF_DUMMY))