neovim/test/old/testdir/crash
zeertzjq 9d7544ac4c vim-patch:9.0.2143: [security]: buffer-overflow in ex_substitute
Problem:  [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating

When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.

So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.

Reported by @henices, thanks!

closes: vim/vim#13596

abfa13ebe9

Co-authored-by: Christian Brabandt <cb@256bit.org>
2023-12-02 10:41:31 +08:00
..
bt_quickfix1_poc vim-patch:partial:9.0.1859: heap-use-after-free in bt_normal() 2023-11-17 09:54:03 +08:00
bt_quickfix_poc vim-patch:9.0.1857: [security] heap-use-after-free in is_qf_win() 2023-11-17 09:54:03 +08:00
crash_scrollbar vim-patch:9.0.1992: [security] segfault in exmode 2023-11-17 09:59:22 +08:00
editing_arg_idx_POC_1 vim-patch:9.0.2010: [security] use-after-free from buf_contents_changed() 2023-11-17 09:59:22 +08:00
poc1 vim-patch:9.0.2106: [security]: Use-after-free in win_close() 2023-11-17 09:59:22 +08:00
poc_did_set_langmap vim-patch:9.0.2142: [security]: stack-buffer-overflow in option callback functions 2023-12-02 10:41:31 +08:00
poc_ex_substitute vim-patch:9.0.2143: [security]: buffer-overflow in ex_substitute 2023-12-02 10:41:31 +08:00
poc_huaf1 vim-patch:9.0.2106: [security]: Use-after-free in win_close() 2023-11-17 09:59:22 +08:00
poc_huaf2 vim-patch:9.0.2106: [security]: Use-after-free in win_close() 2023-11-17 09:59:22 +08:00
poc_huaf3 vim-patch:9.0.2106: [security]: Use-after-free in win_close() 2023-11-17 09:59:22 +08:00
poc_suggest_trie_walk vim-patch:9.0.2141: [security]: buffer-overflow in suggest_trie_walk 2023-12-02 10:41:31 +08:00
poc_tagfunc.vim vim-patch:9.0.1858: [security] heap use after free in ins_compl_get_exp() 2023-11-17 09:54:03 +08:00
poc_win_enter_ext vim-patch:9.0.2140: [security]: use-after-free in win-enter 2023-12-02 10:41:31 +08:00
vim_msg_trunc_poc vim-patch:9.0.1969: [security] buffer-overflow in trunc_string() 2023-11-17 09:59:16 +08:00
vim_regsub_both vim-patch:9.0.1848: [security] buffer-overflow in vim_regsub_both() (#25001) 2023-09-03 13:47:55 +08:00
vim_regsub_both_poc vim-patch:9.0.2106: [security]: Use-after-free in win_close() 2023-11-17 09:59:22 +08:00