File _service:tar_scm:backport-CVE-2022-3352.patch of Package vim

From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 28 Sep 2022 11:48:30 +0100
Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer

Problem:    SpellFileMissing autocmd may delete buffer.
Solution:   Disallow deleting the current buffer to avoid using freed memory.
---
 src/buffer.c                 |  7 ++++++-
 src/spell.c                  |  6 ++++++
 src/testdir/test_autocmd.vim | 10 ++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/buffer.c b/src/buffer.c
index e775398..a85b2a8 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -461,7 +461,12 @@ can_unload_buffer(buf_T *buf)
 	    }
     }
     if (!can_unload)
-	semsg(_(e_attempt_to_delete_buffer_that_is_in_use_str), buf->b_fname);
+    {
+	char_u *fname = buf->b_fname != NULL ? buf->b_fname : buf->b_ffname;
+
+	semsg(_(e_attempt_to_delete_buffer_that_is_in_use_str),
+				fname != NULL ? fname : (char_u *)"[No Name]");
+    }
     return can_unload;
 }
 
diff --git a/src/spell.c b/src/spell.c
index 24abce4..3664425 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -1559,6 +1559,10 @@ spell_load_lang(char_u *lang)
     sl.sl_slang = NULL;
     sl.sl_nobreak = FALSE;
 
+    // Disallow deleting the current buffer.  Autocommands can do weird things
+    // and cause "lang" to be freed.
+    ++curbuf->b_locked;
+
     // We may retry when no spell file is found for the language, an
     // autocommand may load it then.
     for (round = 1; round <= 2; ++round)
@@ -1612,6 +1616,8 @@ spell_load_lang(char_u *lang)
 	STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
 	do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
     }
+
+    --curbuf->b_locked;
 }
 
 /*
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index e9a59c2..bc74c29 100644
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -2750,6 +2750,16 @@ func Test_FileType_spell()
   setglobal spellfile=
 endfunc
 
+" this was wiping out the current buffer and using freed memory
+func Test_SpellFileMissing_bwipe()
+  next 0
+  au SpellFileMissing 0 bwipe
+  call assert_fails('set spell spelllang=0', 'E937:')
+
+  au! SpellFileMissing
+  bwipe
+endfunc
+
 " Test closing a window or editing another buffer from a FileChangedRO handler
 " in a readonly buffer
 func Test_FileChangedRO_winclose()
-- 
2.27.0