Mercurial > vim
diff src/ex_cmds.c @ 33865:8cdb69ea3711 v9.0.2143
patch 9.0.2143: [security]: buffer-overflow in ex_substitute
Commit: https://github.com/vim/vim/commit/abfa13ebe92d81aaf66669c428d767847b577453
Author: Christian Brabandt <cb@256bit.org>
Date: Thu Nov 30 11:32:18 2023 +0100
patch 9.0.2143: [security]: buffer-overflow in ex_substitute
Problem: [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating
When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.
So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.
Reported by @henices, thanks!
closes: #13596
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 10 Dec 2023 15:16:05 +0100 |
parents | 06219b3bdaf3 |
children | 7c30841c60a0 |
line wrap: on
line diff
--- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -4650,7 +4650,7 @@ ex_substitute(exarg_T *eap) * too many calls to alloc()/free()). */ new_start_len = needed_len + 50; - if ((new_start = alloc(new_start_len)) == NULL) + if ((new_start = alloc_clear(new_start_len)) == NULL) goto outofmem; *new_start = NUL; new_end = new_start; @@ -4667,7 +4667,7 @@ ex_substitute(exarg_T *eap) if (needed_len > (int)new_start_len) { new_start_len = needed_len + 50; - if ((p1 = alloc(new_start_len)) == NULL) + if ((p1 = alloc_clear(new_start_len)) == NULL) { vim_free(new_start); goto outofmem;