File _service:tar_scm:fix-CVE-2024-47814.patch of Package vim

From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Tue, 8 Oct 2024 09:24:30 +0800
Subject: [PATCH] fix CVE-2024-47814

Problem:  [security]: use-after-free when closing a buffer
Solution: When splitting the window and editing a new buffer,
          check whether the newly to be edited buffer has been marked
          for deletion and abort in this case

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/buffer.c b/src/buffer.c
index 260d22e..6bdb7a6 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -496,6 +496,12 @@ can_unload_buffer(buf_T *buf)
     return can_unload;
 }
 
+    int
+buf_locked(buf_T *buf)
+{
+    return buf->b_locked || buf->b_locked_split;
+}
+
 /*
  * Close the link to a buffer.
  * "action" is used when there is no longer a window for the buffer.
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 46c4503..31cef2a 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2740,6 +2740,18 @@ do_ecmd(
 	}
 	if (buf == NULL)
 	    goto theend;
+	// autocommands try to edit a file that is goind to be removed,
+	// abort
+	if (buf_locked(buf))
+	{
+	    // window was split, but not editing the new buffer,
+	    // reset b_nwindows again
+	    if (oldwin == NULL
+		    && curwin->w_buffer != NULL
+		    && curwin->w_buffer->b_nwindows > 1)
+		--curwin->w_buffer->b_nwindows;
+	    goto theend;
+	}
 	if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
 	    // reusing the buffer, keep the old alternate file
 	    curwin->w_alt_fnum = prev_alt_fnum;
diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
index 3a61027..dc68ca8 100644
--- a/src/proto/buffer.pro
+++ b/src/proto/buffer.pro
@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
 void set_buflisted(int on);
 int buf_contents_changed(buf_T *buf);
 void wipe_buffer(buf_T *buf, int aucmd);
+int buf_locked(buf_T *buf);
 /* vim: set ft=c : */
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index 0652a6f..3abde1e 100644
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -4311,4 +4311,23 @@ func Test_autocmd_shortmess()
   delfunc SetupVimTest_shm
 endfunc
 
+" This was using freed memory
+func Test_autocmd_BufWinLeave_with_vsp()
+  new
+  let fname = 'XXXBufWinLeaveUAF.txt'
+  let dummy = 'XXXDummy.txt'
+  call writefile([], fname)
+  call writefile([], dummy)
+  defer delete(fname)
+  defer delete(dummy)
+  exe "e " fname
+  vsp
+  augroup testing
+    exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
+  augroup END
+  bw
+  call CleanUpTestAuGroup()
+  exe "bw! " .. dummy
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 10916ed..286a45f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/    
+    679,
 /**/
     678,
 /**/
-- 
2.43.0