From abfa13ebe92d81aaf66669c428d767847b577453 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Thu, 30 Nov 2023 11:32:18 +0100
Subject: patch 9.0.2143: [security]: buffer-overflow in ex_substitute

Problem:  [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating

When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.

So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.

Reported by @henices, thanks!

closes: #13596
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/ex_cmds.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/ex_cmds.c')

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index a08682b071..e311fa8e7a 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4650,7 +4650,7 @@ ex_substitute(exarg_T *eap)
 		     * too many calls to alloc()/free()).
 		     */
 		    new_start_len = needed_len + 50;
-		    if ((new_start = alloc(new_start_len)) == NULL)
+		    if ((new_start = alloc_clear(new_start_len)) == NULL)
 			goto outofmem;
 		    *new_start = NUL;
 		    new_end = new_start;
@@ -4667,7 +4667,7 @@ ex_substitute(exarg_T *eap)
 		    if (needed_len > (int)new_start_len)
 		    {
 			new_start_len = needed_len + 50;
-			if ((p1 = alloc(new_start_len)) == NULL)
+			if ((p1 = alloc_clear(new_start_len)) == NULL)
 			{
 			    vim_free(new_start);
 			    goto outofmem;
-- 
cgit v1.2.3