From abfa13ebe92d81aaf66669c428d767847b577453 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Thu, 30 Nov 2023 11:32:18 +0100
Subject: patch 9.0.2143: [security]: buffer-overflow in ex_substitute

Problem:  [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating

When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.

So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.

Reported by @henices, thanks!

closes: #13596
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/testdir/crash/poc_ex_substitute | Bin 0 -> 135 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 src/testdir/crash/poc_ex_substitute

(limited to 'src/testdir/crash')

diff --git a/src/testdir/crash/poc_ex_substitute b/src/testdir/crash/poc_ex_substitute
new file mode 100644
index 0000000000..bcf1286512
Binary files /dev/null and b/src/testdir/crash/poc_ex_substitute differ
-- 
cgit v1.2.3