From 950f464992f07407e52ebc716d6648aa120dd334 Mon Sep 17 00:00:00 2001
From: dv <dv@openbsd.org>
Date: Mon, 25 Oct 2021 14:17:24 +0000
Subject: [PATCH] vi(1): fix use after free with unsaved buffer

Issuing a zero-arg ex_edit command (:e) while using a named buffer
with no backing file caused vi(1)/ex(1) to free the strings
representing the buffer name and the name of the temporary file.
This change detects the situation and only frees the newly allocated
EXF structure (ep).

Reported on bugs@ by kn@.

OK millert@
---
 usr.bin/vi/common/exf.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/usr.bin/vi/common/exf.c b/usr.bin/vi/common/exf.c
index d99ce4122fb..1d966db1823 100644
--- a/usr.bin/vi/common/exf.c
+++ b/usr.bin/vi/common/exf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: exf.c,v 1.47 2021/10/24 21:24:17 deraadt Exp $	*/
+/*	$OpenBSD: exf.c,v 1.48 2021/10/25 14:17:24 dv Exp $	*/
 
 /*-
  * Copyright (c) 1992, 1993, 1994
@@ -173,6 +173,16 @@ file_init(SCR *sp, FREF *frp, char *rcv_name, int flags)
 	 * to the real name (we display that until the user renames it).
 	 */
 	oname = frp->name;
+
+	/*
+	 * User is editing a named file that doesn't exist yet other than as a
+	 * temporary file.
+	 */
+	if (!exists && oname != NULL && frp->tname != NULL) {
+		free(ep);
+		return (1);
+	}
+
 	if (LF_ISSET(FS_OPENERR) || oname == NULL || !exists) {
 		/*
 		 * Don't try to create a temporary support file twice.
-- 
2.20.1