From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 28 Sep 2022 11:48:30 +0100
Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer

Problem:    SpellFileMissing autocmd may delete buffer.
Solution:   Disallow deleting the current buffer to avoid using freed memory.
---
 src/buffer.c                 |  7 ++++++-
 src/spell.c                  |  6 ++++++
 src/testdir/test_autocmd.vim | 10 ++++++++++
 src/version.c                |  2 ++
 4 files changed, 24 insertions(+), 1 deletion(-)

Backport: src/buffer.c isn't vulnerable yet

--- a/src/spell.c
+++ b/src/spell.c
@@ -1813,6 +1813,10 @@ spell_load_lang(char_u *lang)
     sl.sl_slang = NULL;
     sl.sl_nobreak = FALSE;
 
+    // Disallow deleting the current buffer.  Autocommands can do weird things
+    // and cause "lang" to be freed.
+    ++curbuf->b_locked;
+
     /* We may retry when no spell file is found for the language, an
      * autocommand may load it then. */
     for (round = 1; round <= 2; ++round)
@@ -1866,6 +1870,8 @@ spell_load_lang(char_u *lang)
 	STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
 	do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
     }
+
+    --curbuf->b_locked;
 }
 
 /*
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -1416,3 +1416,14 @@ func Test_Changed_FirstTime()
 endfunc
 
 " FileChangedShell tested in test_filechanged.vim
+
+" this was wiping out the current buffer and using freed memory
+func Test_SpellFileMissing_bwipe()
+  next 0
+  au SpellFileMissing 0 bwipe
+  call assert_fails('set spell spelllang=0', 'E937:')
+
+  au! SpellFileMissing
+  bwipe
+endfunc
+
--- a/src/version.c
+++ b/src/version.c
@@ -2620,6 +2620,7 @@ static char *(extra_patches[]) =
     "8.2.3428",
     "9.0.0490",
     "9.0.0530",
+    "9.0.0614",
 /**/
     NULL
 };