# HG changeset patch
# User Christian Brabandt <cb@256bit.org>
# Date 1697051708 -7200
# Node ID 1947bb095199878422acc53f086dc65b6ffd5012
# Parent  d41f4b9a944ecf1a2e60ce120a370224bb482c28
patch 9.0.2010: [security] use-after-free from buf_contents_changed()

Commit: https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d
Author: Christian Brabandt <cb@256bit.org>
Date:   Wed Oct 11 21:08:13 2023 +0200

    patch 9.0.2010: [security] use-after-free from buf_contents_changed()

    Problem:  [security] use-after-free from buf_contents_changed()
    Solution: block autocommands

    Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/buffer.c b/src/buffer.c
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -6013,6 +6013,9 @@ buf_contents_changed(buf_T *buf)
 	return TRUE;
     }
 
+    // We don't want to trigger autocommands now, they may have nasty
+    // side-effects like wiping buffers
+    block_autocmds();
     if (ml_open(curbuf) == OK
 	    && readfile(buf->b_ffname, buf->b_fname,
 				  (linenr_T)0, (linenr_T)0, (linenr_T)MAXLNUM,
@@ -6038,6 +6041,8 @@ buf_contents_changed(buf_T *buf)
     if (curbuf != newbuf)	// safety check
 	wipe_buffer(newbuf, FALSE);
 
+    unblock_autocmds();
+
     return differ;
 }
 
diff --git a/src/testdir/crash/editing_arg_idx_POC_1 b/src/testdir/crash/editing_arg_idx_POC_1
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..5d048d03405a31e268f30950dc11d9dc767103de
GIT binary patch
literal 398
zc${s}!Ait15C-6Q&0W2Yy>wf2DbmwYi}(amL<%B0n@qZeHeHgI?M-jKgYV?Um+%QZ
zuZg=N6@Lg!V1D=*(X}n=lQWH`x`?5qacv-LJ8AQV#_iTrHs?6>9b65nAe7gJAO;#K
zusVSG+!avES&-p!P<apmSC3HoM(iV6`5;!PD{5-HLKAU;4cnNyCsj8zy9>*nY_ImY
z{TWom0Z7(PWDNgig{5n}o-fix_XY)H&)n8cqAkHoXWE24x&KX~Y0S{85C5nSe$|X=
z>7~`@PAWbod3SFIg$XqEP&a!*8s49V-WL7`?QyBSsYv){eaUqyCTBjLoY^fN?YF-G
DgL#j6

diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -78,6 +78,14 @@ func Test_crash1()
     \ '  && echo "crash 9: [OK]" >> X_crash1_result.txt' .. "\<cr>")
   call TermWait(buf, 1000)
 
+  let file = 'crash/editing_arg_idx_POC_1'
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  || echo "crash 10: [OK]" >> X_crash1_result.txt' .. "\<cr>")
+  call TermWait(buf, 1000)
+  call delete('Xerr')
+  call delete('@')
+
   " clean up
   exe buf .. "bw!"
 
@@ -93,6 +101,7 @@ func Test_crash1()
       \ 'crash 7: [OK]',
       \ 'crash 8: [OK]',
       \ 'crash 9: [OK]',
+      \ 'crash 10: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    2010,
+/**/
     2009,
 /**/
     2008,