vim/backport-CVE-2022-3235.patch

From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 17 Sep 2022 19:43:23 +0100
Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
 autocmd

Problem:    Using freed memory with cmdwin and BufEnter autocmd.
Solution:   Make sure pointer to b_p_iminsert is still valid.
---
 src/ex_getln.c               |  6 +++++-
 src/testdir/test_cmdline.vim | 10 ++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/ex_getln.c b/src/ex_getln.c
index 8383eee..b299bd0 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -817,6 +817,7 @@ getcmdline_int(
 #endif
     expand_T	xpc;
     long	*b_im_ptr = NULL;
+    buf_T	*b_im_ptr_buf = NULL;	// buffer where b_im_ptr is valid
     cmdline_info_T save_ccline;
     int		did_save_ccline = FALSE;
     int		cmdline_type;
@@ -938,6 +939,7 @@ getcmdline_int(
 	    b_im_ptr = &curbuf->b_p_iminsert;
 	else
 	    b_im_ptr = &curbuf->b_p_imsearch;
+	b_im_ptr_buf = curbuf;
 	if (*b_im_ptr == B_IMODE_LMAP)
 	    State |= LANGMAP;
 #ifdef HAVE_INPUT_METHOD
@@ -1666,6 +1668,7 @@ getcmdline_int(
 		goto cmdline_not_changed;
 
 	case Ctrl_HAT:
+		b_im_ptr = buf_valid(b_im_ptr_buf) ? b_im_ptr : NULL;
 		if (map_to_exists_mode((char_u *)"", LANGMAP, FALSE))
 		{
 		    // ":lmap" mappings exists, toggle use of mappings.
@@ -2430,7 +2433,8 @@ returncmd:
 
     State = save_State;
 #ifdef HAVE_INPUT_METHOD
-    if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
+    if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
+						  && *b_im_ptr != B_IMODE_LMAP)
 	im_save_status(b_im_ptr);
     im_set_active(FALSE);
 #endif
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 68852a7..c442d7f 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -952,4 +952,14 @@ func Test_cmdline_expand_special()
   call assert_fails('e <amatch>', 'E497:')
 endfunc
 
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+  au BufEnter * next 0| file 
+  edit 0
+  silent! norm q/
+
+  au! BufEnter
+  bwipe!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
-- 
2.27.0