From 5dd41d4b6370b7b7d09d691f9252b3899c66102a Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Mon, 4 Dec 2023 22:52:23 +0100
Subject: patch 9.0.2149: [security]: use-after-free in exec_instructions()

Problem:  [security]: use-after-free in exec_instructions()
Solution: get tv pointer again

[security]: use-after-free in exec_instructions()

exec_instructions may access freed memory, if the GA_GROWS_FAILS()
re-allocates memory. When this happens, the typval tv may still point to
now already freed memory. So let's get that pointer again and compare it
with tv. If those two pointers differ, tv is now invalid and we have to
refresh the tv pointer.

closes: #13621

Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/testdir/crash/poc_uaf_exec_instructions | Bin 0 -> 69 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 src/testdir/crash/poc_uaf_exec_instructions

(limited to 'src/testdir/crash')

diff --git a/src/testdir/crash/poc_uaf_exec_instructions b/src/testdir/crash/poc_uaf_exec_instructions
new file mode 100644
index 0000000000..49ae8577ff
Binary files /dev/null and b/src/testdir/crash/poc_uaf_exec_instructions differ
-- 
cgit v1.2.3