patch 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer
Problem: heap use-after-free possible when autocommands switch away from the
quickfix dummy buffer, but leave it open in a window.
Solution: close its windows first before attempting the wipe.
(Sean Dewar)
related: #17283
Signed-off-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index 54e3bb7..df4cc80 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -6899,4 +6899,26 @@
wincmd q
endfunc
+func Test_vimgrep_dummy_buffer_crash()
+ augroup DummyCrash
+ autocmd!
+ " Make the dummy buffer non-current, but still open in a window.
+ autocmd BufReadCmd * ++once let s:dummy_buf = bufnr()
+ \| split | wincmd p | enew
+
+ " Autocmds from cleaning up the dummy buffer in this case should be blocked.
+ autocmd BufWipeout *
+ \ call assert_notequal(s:dummy_buf, str2nr(expand('<abuf>')))
+ augroup END
+
+ silent! vimgrep /./ .
+ redraw! " Window to freed dummy buffer used to remain; heap UAF.
+ call assert_equal([], win_findbuf(s:dummy_buf))
+ call assert_equal(0, bufexists(s:dummy_buf))
+
+ unlet! s:dummy_buf
+ autocmd! DummyCrash
+ %bw!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab