mirror of
https://github.com/neovim/neovim.git
synced 2024-12-29 14:41:06 -07:00
9d7544ac4c
Problem: [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating
When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.
So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.
Reported by @henices, thanks!
closes: vim/vim#13596
|
||
---|---|---|
.. | ||
bt_quickfix1_poc | ||
bt_quickfix_poc | ||
crash_scrollbar | ||
editing_arg_idx_POC_1 | ||
poc1 | ||
poc_did_set_langmap | ||
poc_ex_substitute | ||
poc_huaf1 | ||
poc_huaf2 | ||
poc_huaf3 | ||
poc_suggest_trie_walk | ||
poc_tagfunc.vim | ||
poc_win_enter_ext | ||
vim_msg_trunc_poc | ||
vim_regsub_both | ||
vim_regsub_both_poc |