patch 9.0.2143: [security]: buffer-overflow in ex_substitute
Problem: [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating
When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.
So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.
Reported by @henices, thanks!
closes: #13596
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 1d4f435..49e712a 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -117,7 +117,7 @@
" The following used to crash Vim
let opts = #{cmd: 'sh'}
let vim = GetVimProg()
- let result = 'X_crash1_1_result.txt'
+ let result = 'X_crash1_2_result.txt'
let buf = RunVimInTerminal('sh', opts)
@@ -149,6 +149,17 @@
\ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>")
call TermWait(buf, 150)
+ let file = 'crash/poc_ex_substitute'
+ let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'"
+ let args = printf(cmn_args, vim, file)
+ " just make sure it runs, we don't care about the resulting echo
+ call term_sendkeys(buf, args .. "\<cr>")
+ " There is no output generated in Github CI for the asan clang build.
+ " so just skip generating the ouput.
+ " call term_sendkeys(buf, args ..
+ " \ ' && echo "crash 5: [OK]" >> '.. result .. "\<cr>")
+ call TermWait(buf, 150)
+
" clean up
exe buf .. "bw!"