Commit: patch 9.1.2128: Heap use after free in buf_check_timestamp()

Tue, 03 Feb 2026 07:16:33 -0800 

patch 9.1.2128: Heap use after free in buf_check_timestamp()

Commit: 
https://github.com/vim/vim/commit/392b428d1239e963020b73682cd03f17ffb538b3
Author: Sean Dewar <[email protected]>
Date:   Tue Feb 3 15:00:12 2026 +0000

    patch 9.1.2128: Heap use after free in buf_check_timestamp()
    
    Problem:  heap UAF if autocommands from reloading a file changed outside
              of Vim wipe its buffer.
    Solution: Validate the bufref after buf_reload (Sean Dewar)
    
    closes: #19317
    
    Signed-off-by: Sean Dewar <[email protected]>
    Signed-off-by: Christian Brabandt <[email protected]>

diff --git a/src/fileio.c b/src/fileio.c
index e637ab397..0a4ca648d 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -4480,7 +4480,7 @@ buf_check_timestamp(
        // Reload the buffer.
        buf_reload(buf, orig_mode, reload == RELOAD_DETECT);
 #ifdef FEAT_PERSISTENT_UNDO
-       if (buf->b_p_udf && buf->b_ffname != NULL)
+       if (bufref_valid(&bufref) && buf->b_p_udf && buf->b_ffname != NULL)
        {
            char_u          hash[UNDO_HASH_SIZE];
            buf_T           *save_curbuf = curbuf;
diff --git a/src/testdir/test_filechanged.vim b/src/testdir/test_filechanged.vim
index da517515a..36503cfba 100644
--- a/src/testdir/test_filechanged.vim
+++ b/src/testdir/test_filechanged.vim
@@ -279,4 +279,27 @@ func Test_FileChangedShell_newbuf()
   au! testnewbuf
 endfunc
 
+func Test_file_changed_wipeout()
+  call writefile(['foo'], 'Xchanged_bw', 'D')
+  edit Xchanged_bw
+  augroup FileChangedWipeout
+    autocmd FileChangedShell * ++once let v:fcs_choice = 'reload'
+    autocmd BufReadPost * ++once %bw!
+  augroup END
+
+  " Need to wait until the timestamp would change.
+  if has('nanotime')
+    sleep 10m
+  else
+    sleep 2
+  endif
+  call writefile(['bar'], 'Xchanged_bw')
+  call assert_equal(1, bufexists('Xchanged_bw'))
+  checktime " used to be a heap UAF
+  call assert_equal(0, bufexists('Xchanged_bw'))
+
+  au! FileChangedWipeout
+  %bw!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 7e44624ff..c4b596038 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2128,
 /**/
     2127,
 /**/

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/vim_dev/E1vnI7M-00B5tj-67%40256bit.org.

Raspunde prin e-mail lui