[vim/vim] Use-after-free in alist_add() (PR #19023)

[Christian Brabandt]

Problem: A BufAdd autocommand may cause alist_add() to use freed
memory, this is caused by the w_locked variable unset too
early.
Solution: in trigger_undo_ftplugin() only set w_locked to false, if it
was false when calling the function.

---

You can view, comment on, or merge this pull request online at:

  https://github.com/vim/vim/pull/19023

Commit Summary

• 15262b4 Use-after-free in alist_add()

File Changes

(2 files)

• M src/buffer.c (3)
• M src/testdir/test_arglist.vim (12)

Patch Links:

• https://github.com/vim/vim/pull/19023.patch
• https://github.com/vim/vim/pull/19023.diff

—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19023@github.com>

[zeertzjq]

zeertzjq left a comment (vim/vim#19023)

Perhaps w_locked = TRUE and w_locked = FALSE should be changed (everywhere) to w_locked++ and w_locked--? I think that's less code than saving and restoring the value.

—
Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19023/c3692958340@github.com>

[Christian Brabandt]

chrisbra left a comment (vim/vim#19023)

I tried that, but it caused undefined behaviour and I was not able to track it down, if this was caused by in-balanced counter.

—
Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19023/c3692965308@github.com>

[Christian Brabandt]

Closed #19023 via 9266a2a.

—
Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19023/issue_event/21765794824@github.com>