patch 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer
Problem: heap use-after-free possible when autocommands switch away from the
quickfix dummy buffer, but leave it open in a window.
Solution: close its windows first before attempting the wipe.
(Sean Dewar)
related: #17283
Signed-off-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/quickfix.c b/src/quickfix.c
index 2271ae0..9fe7978 100644
--- a/src/quickfix.c
+++ b/src/quickfix.c
@@ -7026,7 +7026,11 @@
aucmd_restbuf(&aco);
if (newbuf_to_wipe.br_buf != NULL && bufref_valid(&newbuf_to_wipe))
- wipe_buffer(newbuf_to_wipe.br_buf, FALSE);
+ {
+ block_autocmds();
+ wipe_dummy_buffer(newbuf_to_wipe.br_buf, NULL);
+ unblock_autocmds();
+ }
}
// Add back the "dummy" flag, otherwise buflist_findname_stat() won't
@@ -7052,8 +7056,8 @@
/*
* Wipe out the dummy buffer that load_dummy_buffer() created. Restores
- * directory to "dirname_start" prior to returning, if autocmds or the
- * 'autochdir' option have changed it.
+ * directory to "dirname_start" if not NULL prior to returning, if autocmds or
+ * the 'autochdir' option have changed it.
*/
static void
wipe_dummy_buffer(buf_T *buf, char_u *dirname_start)
@@ -7095,8 +7099,9 @@
// new aborting error, interrupt, or uncaught exception.
leave_cleanup(&cs);
#endif
- // When autocommands/'autochdir' option changed directory: go back.
- restore_start_dir(dirname_start);
+ if (dirname_start != NULL)
+ // When autocommands/'autochdir' option changed directory: go back.
+ restore_start_dir(dirname_start);
}
}