patch 9.1.1361: [security]: possible use-after-free when closing a buffer Problem: [security]: Possible to open more windows into a closing buffer without splitting, bypassing existing "b_locked_split" checks and triggering use-after-free Solution: Disallow switching to a closing buffer. Editing a closing buffer (via ":edit", etc.) was fixed in v9.1.0764, but add an error message and check just "b_locked_split", as "b_locked" is necessary only when the buffer shouldn't be wiped, and may be set for buffers that are in-use but not actually closing. (Sean Dewar) closes: #17246 Signed-off-by: Sean Dewar <6256228+seandewar@users.noreply.github.com> Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: 6cb1c828406dcbb9b67ee788501b94f3a0bac88a [log] [tgz]
author: Sean Dewar <6256228+seandewar@users.noreply.github.com> Sat May 03 18:37:27 2025 +0200
committer: Christian Brabandt <cb@256bit.org> Sat May 03 18:37:27 2025 +0200
tree: 43e4889b00b2adc95b10f93bb8b1df38d289500a
parent: c3f48e3a76c61884d7801171ced327b76965bf29 [diff] [blame]
diff --git a/src/structs.h b/src/structs.h
index 898f620..caf61ed 100644
--- a/src/structs.h
+++ b/src/structs.h

@@ -3072,7 +3072,7 @@
     int		b_locked;	// Buffer is being closed or referenced, don't
 				// let autocommands wipe it out.
     int		b_locked_split;	// Buffer is being closed, don't allow opening
-				// a new window with it.
+				// it in more windows.
 
     /*
      * b_ffname has the full path of the file (NULL for no name).
commit	6cb1c828406dcbb9b67ee788501b94f3a0bac88a	[log] [tgz]
author	Sean Dewar <6256228+seandewar@users.noreply.github.com>	Sat May 03 18:37:27 2025 +0200
committer	Christian Brabandt <cb@256bit.org>	Sat May 03 18:37:27 2025 +0200
tree	43e4889b00b2adc95b10f93bb8b1df38d289500a
parent	c3f48e3a76c61884d7801171ced327b76965bf29 [diff] [blame]