From 0fc382b8511a38454ac0800dcefa72d57820108a Mon Sep 17 00:00:00 2001
From: changtao <changtao@kylinos.cn>
Date: Tue, 8 Oct 2024 09:14:26 +0800
Subject: [PATCH] fix-CVE-2024-47814

---
 fix-CVE-2024-47814.patch | 118 +++++++++++++++++++++++++++++++++++++++
 vim.spec                 |   9 ++-
 2 files changed, 126 insertions(+), 1 deletion(-)
 create mode 100644 fix-CVE-2024-47814.patch

diff --git a/fix-CVE-2024-47814.patch b/fix-CVE-2024-47814.patch
new file mode 100644
index 0000000..a37ad88
--- /dev/null
+++ b/fix-CVE-2024-47814.patch
@@ -0,0 +1,118 @@
+From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 8 Oct 2024 09:09:11 +0800
+Subject: [PATCH] fix CVE-2024-47814
+
+Problem:  [security]: use-after-free when closing a buffer
+Solution: When splitting the window and editing a new buffer,
+          check whether the newly to be edited buffer has been marked
+          for deletion and abort in this case
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+---
+ src/buffer.c                 |  7 +++++++
+ src/ex_cmds.c                | 12 ++++++++++++
+ src/proto/buffer.pro         |  1 +
+ src/testdir/test_autocmd.vim | 19 +++++++++++++++++++
+ src/version.c                |  2 ++
+ 5 files changed, 41 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 8ea57f7..1f71e38 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -470,6 +470,13 @@ can_unload_buffer(buf_T *buf)
+     return can_unload;
+ }
+ 
++    int
++buf_locked(buf_T *buf)
++{
++    return buf->b_locked || buf->b_locked_split;
++}
++
++
+ /*
+  * Close the link to a buffer.
+  * "action" is used when there is no longer a window for the buffer.
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 853df4b..92b5e9f 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -2692,6 +2692,18 @@ do_ecmd(
+ 	}
+ 	if (buf == NULL)
+ 	    goto theend;
++	// autocommands try to edit a file that is goind to be removed,
++	// abort
++	if (buf_locked(buf))
++	{
++	    // window was split, but not editing the new buffer,
++	    // reset b_nwindows again
++	    if (oldwin == NULL
++		    && curwin->w_buffer != NULL
++		    && curwin->w_buffer->b_nwindows > 1)
++		--curwin->w_buffer->b_nwindows;
++	    goto theend;
++	}
+ 	if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
+ 	    // reusing the buffer, keep the old alternate file
+ 	    curwin->w_alt_fnum = prev_alt_fnum;
+diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
+index 094feed..031e64a 100644
+--- a/src/proto/buffer.pro
++++ b/src/proto/buffer.pro
+@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
+ void set_buflisted(int on);
+ int buf_contents_changed(buf_T *buf);
+ void wipe_buffer(buf_T *buf, int aucmd);
++int buf_locked(buf_T *buf);
+ /* vim: set ft=c : */
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index d8738c8..e251112 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -3633,4 +3633,23 @@ func Test_autocmd_split_dummy()
+   call delete('Xerr')
+ endfunc
+ 
++" This was using freed memory
++func Test_autocmd_BufWinLeave_with_vsp()
++  new
++  let fname = 'XXXBufWinLeaveUAF.txt'
++  let dummy = 'XXXDummy.txt'
++  call writefile([], fname)
++  call writefile([], dummy)
++  defer delete(fname)
++  defer delete(dummy)
++  exe "e " fname
++  vsp
++  augroup testing
++    exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
++  augroup END
++  bw
++  call CleanUpTestAuGroup()
++  exe "bw! " .. dummy
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 2de8fd2..5946644 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -735,6 +735,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    679,
+ /**/
+     678,
+ /**/
+-- 
+2.43.0
+
diff --git a/vim.spec b/vim.spec
index fcc6a12..4f99bda 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        27
+Release:        28
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -129,6 +129,7 @@ Patch6099:      backport-CVE-2024-43802.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
+Patch9002:      fix-CVE-2024-47814.patch
 
 BuildRequires:  autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
 BuildRequires:  perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@@ -536,6 +537,12 @@ LANG=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Oct 08 2024 changtao <changtao@kylinos.cn> - 2:9.0-28
+- Type:CVE
+- ID:CVE-2024-47814
+- SUG:NA
+- DESC:fix CVE-2024-47814
+
 * Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0-27
 - Type:CVE
 - ID:CVE-2024-43802
-- 
Gitee