Mercurial > vim
view pixmaps/tb_replace.xpm @ 33865:8cdb69ea3711 v9.0.2143
patch 9.0.2143: [security]: buffer-overflow in ex_substitute
Commit: https://github.com/vim/vim/commit/abfa13ebe92d81aaf66669c428d767847b577453
Author: Christian Brabandt <cb@256bit.org>
Date: Thu Nov 30 11:32:18 2023 +0100
patch 9.0.2143: [security]: buffer-overflow in ex_substitute
Problem: [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating
When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.
So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.
Reported by @henices, thanks!
closes: #13596
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 10 Dec 2023 15:16:05 +0100 |
parents | 3fc0f57ecb91 |
children |
line wrap: on
line source
/* XPM */ static char * tb_replace_xpm[] = { /* width height ncolors cpp [x_hot y_hot] */ "18 18 9 1 0 0", /* colors */ " s none m none c none", ". s iconColor1 m black c #000000", "X s iconColor2 m none c #FFFFFF", "o s bottomShadowColor m black c #5D6069", "+ s iconGray4 m none c #949494", "@ s iconColor3 m black c #FF0000", "# s iconGray3 m none c #adadad", "$ s iconGray1 m none c #dedede", "% s iconGray7 m black c #424242", /* pixels */ " ", " ......... ", " .XXXXXXX.. ", " .X..XXXX.X. ", " oX..oXXX.... ", " o.X..XXXXXX. ", " +....oXXXXX.o ", " .XXX..XXXXX.o ", " ..oXo...XXXX.o ", " +XXXXXXXXXX+o ", " .X@@XX@XXX.... ", " .Xo@XX@@XX.#$.. ", " .XXo@@@@@X.... ", " .XXXXX@@XX.#$.. ", " .XXXXX@XXX.#$.. ", " ......o..%.... ", " ooooooooo ", " "};