diff options
| author | Christian Brabandt <cb@256bit.org> | 2023-12-04 22:52:23 +0100 |
|---|---|---|
| committer | Christian Brabandt <cb@256bit.org> | 2023-12-04 22:54:43 +0100 |
| commit | 5dd41d4b6370b7b7d09d691f9252b3899c66102a (patch) | |
| tree | 99bcf9a51f84ef73d003206c2d2960b51bd133b3 /src/testdir/crash | |
| parent | 1e5d66408ef85c750a5af03bbf5cc19b5de7a6bc (diff) | |
patch 9.0.2149: [security]: use-after-free in exec_instructions()v9.0.2149
Problem: [security]: use-after-free in exec_instructions()
Solution: get tv pointer again
[security]: use-after-free in exec_instructions()
exec_instructions may access freed memory, if the GA_GROWS_FAILS()
re-allocates memory. When this happens, the typval tv may still point to
now already freed memory. So let's get that pointer again and compare it
with tv. If those two pointers differ, tv is now invalid and we have to
refresh the tv pointer.
closes: #13621
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/testdir/crash')
| -rw-r--r-- | src/testdir/crash/poc_uaf_exec_instructions | bin | 0 -> 69 bytes |
1 files changed, 0 insertions, 0 deletions
diff --git a/src/testdir/crash/poc_uaf_exec_instructions b/src/testdir/crash/poc_uaf_exec_instructions Binary files differnew file mode 100644 index 0000000000..49ae8577ff --- /dev/null +++ b/src/testdir/crash/poc_uaf_exec_instructions |