From b683197f99cceef4fac3a6d7ffa336be385e041c Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Tue, 8 Oct 2024 10:45:33 +0800
Subject: [PATCH] fix CVE-2024-47814

---
 backport-CVE-2024-47814.patch | 100 ++++++++++++++++++++++++++++++++++
 vim.spec                      |   9 ++-
 2 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-47814.patch

diff --git a/backport-CVE-2024-47814.patch b/backport-CVE-2024-47814.patch
new file mode 100644
index 0000000..63dfdce
--- /dev/null
+++ b/backport-CVE-2024-47814.patch
@@ -0,0 +1,100 @@
+From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 6 Oct 2024 17:31:10 +0200
+Subject: [PATCH] patch 9.1.0764: [security]: use-after-free when closing a
+ buffer
+
+Problem:  [security]: use-after-free when closing a buffer
+Solution: When splitting the window and editing a new buffer,
+          check whether the newly to be edited buffer has been marked
+          for deletion and abort in this case
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/buffer.c                 |  6 ++++++
+ src/ex_cmds.c                | 12 ++++++++++++
+ src/proto/buffer.pro         |  1 +
+ src/testdir/test_autocmd.vim | 19 +++++++++++++++++++
+ 4 files changed, 38 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 34500e4abc282..90be301e85708 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -497,6 +497,12 @@ can_unload_buffer(buf_T *buf)
+     return can_unload;
+ }
+ 
++    int
++buf_locked(buf_T *buf)
++{
++    return buf->b_locked || buf->b_locked_split;
++}
++
+ /*
+  * Close the link to a buffer.
+  * "action" is used when there is no longer a window for the buffer.
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index acddd9c38ea5e..b990de444b871 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -2743,6 +2743,18 @@ do_ecmd(
+ 	}
+ 	if (buf == NULL)
+ 	    goto theend;
++	// autocommands try to edit a file that is goind to be removed,
++	// abort
++	if (buf_locked(buf))
++	{
++	    // window was split, but not editing the new buffer,
++	    // reset b_nwindows again
++	    if (oldwin == NULL
++		    && curwin->w_buffer != NULL
++		    && curwin->w_buffer->b_nwindows > 1)
++		--curwin->w_buffer->b_nwindows;
++	    goto theend;
++	}
+ 	if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
+ 	    // reusing the buffer, keep the old alternate file
+ 	    curwin->w_alt_fnum = prev_alt_fnum;
+diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
+index 3a6102789ed5c..dc68ca8fc123f 100644
+--- a/src/proto/buffer.pro
++++ b/src/proto/buffer.pro
+@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
+ void set_buflisted(int on);
+ int buf_contents_changed(buf_T *buf);
+ void wipe_buffer(buf_T *buf, int aucmd);
++int buf_locked(buf_T *buf);
+ /* vim: set ft=c : */
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index fc6f377cf5055..31ebc1bcbbcf9 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -4883,4 +4883,23 @@ func Test_GuiEnter_Turkish_locale()
+   delfunc SetupVimTest_shm
+ endfunc
+ 
++" This was using freed memory
++func Test_autocmd_BufWinLeave_with_vsp()
++  new
++  let fname = 'XXXBufWinLeaveUAF.txt'
++  let dummy = 'XXXDummy.txt'
++  call writefile([], fname)
++  call writefile([], dummy)
++  defer delete(fname)
++  defer delete(dummy)
++  exe "e " fname
++  vsp
++  augroup testing
++    exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
++  augroup END
++  bw
++  call CleanUpTestAuGroup()
++  exe "bw! " .. dummy
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/vim.spec b/vim.spec
index 4e57f33..c82d59e 100644
--- a/vim.spec
+++ b/vim.spec
@@ -14,7 +14,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        11
+Release:        12
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -50,6 +50,7 @@ Patch6015:      backport-patch-9.1.0554-bw-leaves-jumplist-and-tagstack-data-.pa
 Patch6016:      backport-CVE-2024-41957.patch
 Patch6017:      backport-CVE-2024-43374.patch
 Patch6018:      backport-CVE-2024-43802.patch
+Patch6019:      backport-CVE-2024-47814.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -457,6 +458,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*
 
 %changelog
+* Mon Oct 07 2024 Funda Wang <fundawang@yeah.net> - 2:9.0.2092-12
+- Type:CVE
+- ID:CVE-2024-47814
+- SUG:NA
+- DESC:fix CVE-2024-47814
+
 * Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-11
 - Type:CVE
 - ID:CVE-2024-43802
-- 
Gitee