diff options
author | Christian Brabandt <cb@256bit.org> | 2023-11-30 11:32:18 +0100 |
---|---|---|
committer | Christian Brabandt <cb@256bit.org> | 2023-12-01 18:58:51 +0100 |
commit | abfa13ebe92d81aaf66669c428d767847b577453 (patch) | |
tree | 5b6d87d9c13568960be219188c849a4c41ba315c /src/testdir/crash | |
parent | b39b240c386a5a29241415541f1c99e2e6b8ce47 (diff) |
patch 9.0.2143: [security]: buffer-overflow in ex_substitutev9.0.2143
Problem: [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating
When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.
So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.
Reported by @henices, thanks!
closes: #13596
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/testdir/crash')
-rw-r--r-- | src/testdir/crash/poc_ex_substitute | bin | 0 -> 135 bytes |
1 files changed, 0 insertions, 0 deletions
diff --git a/src/testdir/crash/poc_ex_substitute b/src/testdir/crash/poc_ex_substitute Binary files differnew file mode 100644 index 0000000000..bcf1286512 --- /dev/null +++ b/src/testdir/crash/poc_ex_substitute |