Commit: patch 9.1.2128: Heap use after free in buf_check_timestamp()
1 view
Skip to first unread message
Christian Brabandt
Feb 3, 2026, 10:16:34 AM (17 hours ago) Feb 3
to vim...@googlegroups.com
patch 9.1.2128: Heap use after free in buf_check_timestamp()
Commit: https://github.com/vim/vim/commit/392b428d1239e963020b73682cd03f17ffb538b3
Author: Sean Dewar <6256228+...@users.noreply.github.com>
Date: Tue Feb 3 15:00:12 2026 +0000
patch 9.1.2128: Heap use after free in buf_check_timestamp()
Problem: heap UAF if autocommands from reloading a file changed outside
of Vim wipe its buffer.
Solution: Validate the bufref after buf_reload (Sean Dewar)
closes: #19317
Signed-off-by: Sean Dewar <6256228+...@users.noreply.github.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/fileio.c b/src/fileio.c
index e637ab397..0a4ca648d 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -4480,7 +4480,7 @@ buf_check_timestamp(
// Reload the buffer.
buf_reload(buf, orig_mode, reload == RELOAD_DETECT);
#ifdef FEAT_PERSISTENT_UNDO
- if (buf->b_p_udf && buf->b_ffname != NULL)
+ if (bufref_valid(&bufref) && buf->b_p_udf && buf->b_ffname != NULL)
{
char_u hash[UNDO_HASH_SIZE];
buf_T *save_curbuf = curbuf;
diff --git a/src/testdir/test_filechanged.vim b/src/testdir/test_filechanged.vim
index da517515a..36503cfba 100644
--- a/src/testdir/test_filechanged.vim
+++ b/src/testdir/test_filechanged.vim
@@ -279,4 +279,27 @@ func Test_FileChangedShell_newbuf()
au! testnewbuf
endfunc
+func Test_file_changed_wipeout()
+ call writefile(['foo'], 'Xchanged_bw', 'D')
+ edit Xchanged_bw
+ augroup FileChangedWipeout
+ autocmd FileChangedShell * ++once let v:fcs_choice = 'reload'
+ autocmd BufReadPost * ++once %bw!
+ augroup END
+
+ " Need to wait until the timestamp would change.
+ if has('nanotime')
+ sleep 10m
+ else
+ sleep 2
+ endif
+ call writefile(['bar'], 'Xchanged_bw')
+ call assert_equal(1, bufexists('Xchanged_bw'))
+ checktime " used to be a heap UAF
+ call assert_equal(0, bufexists('Xchanged_bw'))
+
+ au! FileChangedWipeout
+ %bw!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 7e44624ff..c4b596038 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2128,
/**/
2127,
/**/
Commit: https://github.com/vim/vim/commit/392b428d1239e963020b73682cd03f17ffb538b3
Author: Sean Dewar <6256228+...@users.noreply.github.com>
Date: Tue Feb 3 15:00:12 2026 +0000
patch 9.1.2128: Heap use after free in buf_check_timestamp()
Problem: heap UAF if autocommands from reloading a file changed outside
of Vim wipe its buffer.
Solution: Validate the bufref after buf_reload (Sean Dewar)
closes: #19317
Signed-off-by: Sean Dewar <6256228+...@users.noreply.github.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/fileio.c b/src/fileio.c
index e637ab397..0a4ca648d 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -4480,7 +4480,7 @@ buf_check_timestamp(
// Reload the buffer.
buf_reload(buf, orig_mode, reload == RELOAD_DETECT);
#ifdef FEAT_PERSISTENT_UNDO
- if (buf->b_p_udf && buf->b_ffname != NULL)
+ if (bufref_valid(&bufref) && buf->b_p_udf && buf->b_ffname != NULL)
{
char_u hash[UNDO_HASH_SIZE];
buf_T *save_curbuf = curbuf;
diff --git a/src/testdir/test_filechanged.vim b/src/testdir/test_filechanged.vim
index da517515a..36503cfba 100644
--- a/src/testdir/test_filechanged.vim
+++ b/src/testdir/test_filechanged.vim
@@ -279,4 +279,27 @@ func Test_FileChangedShell_newbuf()
au! testnewbuf
endfunc
+func Test_file_changed_wipeout()
+ call writefile(['foo'], 'Xchanged_bw', 'D')
+ edit Xchanged_bw
+ augroup FileChangedWipeout
+ autocmd FileChangedShell * ++once let v:fcs_choice = 'reload'
+ autocmd BufReadPost * ++once %bw!
+ augroup END
+
+ " Need to wait until the timestamp would change.
+ if has('nanotime')
+ sleep 10m
+ else
+ sleep 2
+ endif
+ call writefile(['bar'], 'Xchanged_bw')
+ call assert_equal(1, bufexists('Xchanged_bw'))
+ checktime " used to be a heap UAF
+ call assert_equal(0, bufexists('Xchanged_bw'))
+
+ au! FileChangedWipeout
+ %bw!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 7e44624ff..c4b596038 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2128,
/**/
2127,
/**/
Reply all
Reply to author
Forward
0 new messages