patch 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer

Problem:  heap use-after-free possible when autocommands switch away from the
          quickfix dummy buffer, but leave it open in a window.
Solution: close its windows first before attempting the wipe.
          (Sean Dewar)

related: #17283

Signed-off-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/quickfix.c

@@ -7026,7 +7026,11 @@ load_dummy_buffer(
 	    aucmd_restbuf(&aco);
 
 	    if (newbuf_to_wipe.br_buf != NULL && bufref_valid(&newbuf_to_wipe))
-		wipe_buffer(newbuf_to_wipe.br_buf, FALSE);
+	    {
+		block_autocmds();
+		wipe_dummy_buffer(newbuf_to_wipe.br_buf, NULL);
+		unblock_autocmds();
+	    }
 	}
 
 	// Add back the "dummy" flag, otherwise buflist_findname_stat() won't
@@ -7052,8 +7056,8 @@ load_dummy_buffer(
 
 /*
  * Wipe out the dummy buffer that load_dummy_buffer() created. Restores
- * directory to "dirname_start" prior to returning, if autocmds or the
- * 'autochdir' option have changed it.
+ * directory to "dirname_start" if not NULL prior to returning, if autocmds or
+ * the 'autochdir' option have changed it.
  */
     static void
 wipe_dummy_buffer(buf_T *buf, char_u *dirname_start)
@@ -7095,8 +7099,9 @@ wipe_dummy_buffer(buf_T *buf, char_u *dirname_start)
 	// new aborting error, interrupt, or uncaught exception.
 	leave_cleanup(&cs);
 #endif
-	// When autocommands/'autochdir' option changed directory: go back.
-	restore_start_dir(dirname_start);
+	if (dirname_start != NULL)
+	    // When autocommands/'autochdir' option changed directory: go back.
+	    restore_start_dir(dirname_start);
     }
 }
 

src/testdir/test_quickfix.vim

@@ -6899,4 +6899,26 @@ func Test_quickfix_close_buffer_crash()
   wincmd q
 endfunc
 
+func Test_vimgrep_dummy_buffer_crash()
+  augroup DummyCrash
+    autocmd!
+    " Make the dummy buffer non-current, but still open in a window.
+    autocmd BufReadCmd * ++once let s:dummy_buf = bufnr()
+          \| split | wincmd p | enew
+
+    " Autocmds from cleaning up the dummy buffer in this case should be blocked.
+    autocmd BufWipeout *
+          \ call assert_notequal(s:dummy_buf, str2nr(expand('<abuf>')))
+  augroup END
+
+  silent! vimgrep /./ .
+  redraw! " Window to freed dummy buffer used to remain; heap UAF.
+  call assert_equal([], win_findbuf(s:dummy_buf))
+  call assert_equal(0, bufexists(s:dummy_buf))
+
+  unlet! s:dummy_buf
+  autocmd! DummyCrash
+  %bw!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

src/version.c

@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1375,
 /**/
     1374,
 /**/