patch 9.1.2023: [security]: Use-after-free in alist_add() with nasty autocmd

Problem:  A BufAdd autocommand may cause alist_add() to use freed
          memory, this is caused by the w_locked variable unset too
          early (henices)
Solution: in trigger_undo_ftplugin() only set w_locked to false, if it
          was false when calling the function.

related: v9.1.0678
closes: #19023

Signed-off-by: Christian Brabandt <cb@256bit.org>

Author: chrisbra

src/buffer.c

@@ -75,14 +75,15 @@ static garray_T buf_reuse = GA_EMPTY;	// file numbers to recycle
     static void
 trigger_undo_ftplugin(buf_T *buf, win_T *win)
 {
+    int win_was_locked = win->w_locked;
     window_layout_lock();
     buf->b_locked++;
     win->w_locked = TRUE;
     // b:undo_ftplugin may be set, undo it
     do_cmdline_cmd((char_u*)"if exists('b:undo_ftplugin') | :legacy :exe \
 	    b:undo_ftplugin | endif");
     buf->b_locked--;
-    win->w_locked = FALSE;
+    win->w_locked = win_was_locked;
     window_layout_unlock();
 }
 

src/testdir/test_arglist.vim

@@ -772,7 +772,6 @@ func Test_crash_arglist_uaf()
   "%argdelete
   new one
   au BufAdd XUAFlocal :bw
-  "call assert_fails(':arglocal XUAFlocal', 'E163:')
   arglocal XUAFlocal
   au! BufAdd
   bw! XUAFlocal
@@ -788,4 +787,15 @@ func Test_crash_arglist_uaf()
   au! BufAdd
 endfunc
 
+" This was using freed memory again
+func Test_crash_arglist_uaf2()
+  new
+  au BufAdd XUAFlocal :bw
+  arglocal XUAFlocal
+  redraw!
+  put ='abc'
+  2#
+  au! BufAdd
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

src/version.c

@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2023,
 /**/
     2022,
 /**/