Is there an existing issue for this?

• I have searched the existing issues

Description of the Issue

Due to the N++ Docking Manager design imperfection, there is a possibility of a buffer overflow in its DockingManager::FindEmptyContainer() method.

Erroneous memory overwriting in the above mentioned func usually does not lead to an immediate visible N++ crash, but if the user continues to use the undocking/docking of the N++ panels during the app life, it does lead to constant corruption of unpredictable parts of the app heap memory and consequently to the possible app-crash (or worse - to a possible data corruption).

This bug can also be intentionally exploited if an attacker manually changes the saved value of prev="..." to, say, prev="99999999". Then the N++ would crash immediately upon any attempt to undock a panel.

Steps To Reproduce

1. Build a fresh Debug build of the N++ and launch it.
2. Ctrl+F and then click Find All in Current Document
3. Undock the Search results panel to the floating state
4. Redock it back
5. Close N++

Now in your relevant config.xml should be these Docking Manager data:

        <GUIConfig name="DockingManager" leftWidth="200" rightWidth="200" topHeight="200" bottomHeight="200">
            <FloatingWindow cont="4" x="183" y="344" width="878" height="624" />
            <PluginDlg pluginName="Notepad++::InternalFunction" id="0" curr="3" prev="4" isVisible="yes" />
            <ActiveTabs cont="0" activeTab="-1" />
            <ActiveTabs cont="1" activeTab="-1" />
            <ActiveTabs cont="2" activeTab="-1" />
            <ActiveTabs cont="3" activeTab="0" />
            <ActiveTabs cont="4" activeTab="-1" />
        </GUIConfig>

6. Launch the N++ again and close it immediately.

Now your relevant config.xml data should be like:

        <GUIConfig name="DockingManager" leftWidth="200" rightWidth="200" topHeight="200" bottomHeight="200">
            <PluginDlg pluginName="Notepad++::InternalFunction" id="0" curr="3" prev="4" isVisible="yes" />
            <ActiveTabs cont="0" activeTab="-1" />
            <ActiveTabs cont="1" activeTab="-1" />
            <ActiveTabs cont="2" activeTab="-1" />
            <ActiveTabs cont="3" activeTab="-1" />
        </GUIConfig>

7. Set a breakpoint in MSVS on the DockingManager::FindEmptyContainer() method.
8. Launch a N++ debugging session.
9. Ctrl+F in N++ and then click Find All in Current Document
10. Try to undock the Search results panel to the floating state.
11. Now watch in debugger how the pPrevDockList buffer is being corrupted (see the pics below).
12. Buffer overflow heap manager msgbox warning, when you reach the delete [] pPrevDockList; line.

Current Behavior

Expected Behavior

Such buffer overflow is not possible under any circumstances.

Debug Information

Probably any N++ version (with the docking panels possibility).

Anything else?

No response