Use After Free

Summary

Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows redirecting screen messages using the `:redir` ex command to register variables and files. It also allows showing the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now, when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a Use After Free. Vim pre 9.1.1115 checks in the `ex_display()` function, that it does not try to redirect to a register while displaying this register at the same time. However, this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to using register 0 instead. In the fixed version, Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. This issue affects versions prior to 9.1.1115. Users are advised to upgrade. There are no known workarounds for this vulnerability.