From: Markus Koschany Date: Sun, 30 Oct 2022 20:10:52 +0100 Subject: CVE-2022-0443 Origin: https://github.com/vim/vim/commit/9b4a80a66544f2782040b641498754bcb5b8d461 --- src/buffer.c | 15 ++++++++++----- src/testdir/test_quickfix.vim | 16 ++++++++++++++++ 2 files changed, 26 insertions(+), 5 deletions(-) --- a/src/buffer.c +++ b/src/buffer.c @@ -1627,6 +1627,7 @@ set_curbuf(buf_T *buf, int action) #endif bufref_T newbufref; bufref_T prevbufref; + int valid; setpcmark(); if (!cmdmod.keepalt) @@ -1679,13 +1680,19 @@ set_curbuf(buf_T *buf, int action) /* An autocommand may have deleted "buf", already entered it (e.g., when * it did ":bunload") or aborted the script processing. * If curwin->w_buffer is null, enter_buffer() will make it valid again */ - if ((buf_valid(buf) && buf != curbuf + valid = buf_valid(buf); + if ((valid && buf != curbuf #ifdef FEAT_EVAL && !aborting() #endif ) || curwin->w_buffer == NULL) { - enter_buffer(buf); + // If the buffer is not valid but curwin->w_buffer is NULL we must + // enter some buffer. Using the last one is hopefully OK. + if (!valid) + enter_buffer(lastbuf); + else + enter_buffer(buf); #ifdef FEAT_SYN_HL if (old_tw != curbuf->b_p_tw) check_colorcolumn(curwin); @@ -2166,9 +2173,7 @@ free_buf_options( if (buf->b_p_vsts_nopaste) vim_free(buf->b_p_vsts_nopaste); buf->b_p_vsts_nopaste = NULL; - if (buf->b_p_vsts_array) - vim_free(buf->b_p_vsts_array); - buf->b_p_vsts_array = NULL; + VIM_CLEAR(buf->b_p_vsts_array); clear_string_option(&buf->b_p_vts); VIM_CLEAR(buf->b_p_vts_array); #endif --- a/src/testdir/test_quickfix.vim +++ b/src/testdir/test_quickfix.vim @@ -3899,3 +3899,19 @@ func Test_viscol() set efm& call delete('Xfile1') endfunc + +" Weird sequence of commands that caused entering a wiped-out buffer +func Test_lopen_bwipe() + func! R() + silent! tab lopen + e x + silent! lfile + endfunc + + cal R() + cal R() + cal R() + bw! + delfunc R +endfunc +