1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 28 Sep 2022 11:48:30 +0100
Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer
Problem: SpellFileMissing autocmd may delete buffer.
Solution: Disallow deleting the current buffer to avoid using freed memory.
---
src/buffer.c | 7 ++++++-
src/spell.c | 6 ++++++
src/testdir/test_autocmd.vim | 10 ++++++++++
src/version.c | 2 ++
4 files changed, 24 insertions(+), 1 deletion(-)
Backport: src/buffer.c isn't vulnerable yet
diff --git a/src/spell.c b/src/spell.c
index 628814fe6db3..975b5a6789a9 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -1813,6 +1813,10 @@ spell_load_lang(char_u *lang)
sl.sl_slang = NULL;
sl.sl_nobreak = FALSE;
+ // Disallow deleting the current buffer. Autocommands can do weird things
+ // and cause "lang" to be freed.
+ ++curbuf->b_locked;
+
/* We may retry when no spell file is found for the language, an
* autocommand may load it then. */
for (round = 1; round <= 2; ++round)
@@ -1866,6 +1870,8 @@ spell_load_lang(char_u *lang)
STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
}
+
+ --curbuf->b_locked;
}
/*
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index 86732f15dbe4..70f0f553a226 100644
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -1416,3 +1416,14 @@
endfunc
" FileChangedShell tested in test_filechanged.vim
+
+" this was wiping out the current buffer and using freed memory
+func Test_SpellFileMissing_bwipe()
+ next 0
+ au SpellFileMissing 0 bwipe
+ call assert_fails('set spell spelllang=0', 'E937:')
+
+ au! SpellFileMissing
+ bwipe
+endfunc
+
--- a/src/version.c
+++ b/src/version.c
@@ -2620,6 +2620,7 @@
"8.2.3428",
"9.0.0490",
"9.0.0530",
+ "9.0.0614",
/**/
NULL
};
|
