mirror of
https://github.com/neovim/neovim.git
synced 2024-12-26 14:11:15 -07:00
9d7544ac4c
Problem: [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating
When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.
So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.
Reported by @henices, thanks!
closes: vim/vim#13596
abfa13ebe9
Co-authored-by: Christian Brabandt <cb@256bit.org>
135 B
135 B