There's a new bug in Visual Studio Code!
Recently, when a user named na-an opened a folder with Microsoft's Visual Studio Code editor (hereinafter referred to as VS Code), he found that many empty files with invalid code were automatically created in his directory. Subsequently, the user posted a related issue to the VS Code GitHub repository, which sparked heated discussions for a while, with many users saying that they were also plagued by the "vulnerability".
It is shown that some of these automatically created files have long and some short names, and these file names are not valid unicode (\312\316\361 in the figure is octal).
After analysis, these randomly created files, which appear to be from a running process memory dump, contain strings typically found in executables, as well as what appears to be a stack corruption or out-of-bounds pointer problem (pointer issue).
In addition to frantically creating empty files, the VS Code "vulnerability" discovered this time also randomly modifies user files. For example, all the contents of the file starting with the username daantimmer are cleared and become 0 KB. This situation is the worst, because you can't guarantee whether to back up the file in advance.
Of course, the exploit is not limited to the current workspace folder, it can even empty some system files/folders.
At present, this vulnerability has appeared on different systems such as Windows and Linux. It is understood that the "victims" of the vulnerability all have one thing in common: they all write C++ code and use the C++ extension of VS CODE. Because a user found that when he tried to disable all extensions, the problem disappeared; if the C++ extension was converted to stable version (1.8.4), the problem also disappeared.
So, the above facts all prove that the root cause of the vulnerability lies in the pre-release version of VS CODE + C++ extension 1.9.4, because it is temporarily unstable and has the above file system flaws (however, if you check the VS CODE automatic update function, It will automatically update to the pre-release version of C++ extension 1.9.4).
Of course, the developers of the C++ extension had no idea what was wrong with version 1.9.4. In turn, the memory corruption issue appears to be related to several long-standing but unresolved file corruption bugs in the C++ extension: #4573 and #5061.
So the current guess is that version 1.9.4 accidentally used uninitialized memory, and pointer issues caused some filesystem errors due to modifications to external third-party subsystems that did not follow modern C++ coding guidelines, will prevent or detect the use of uninitialized pointers.
The solution to this problem is simple - don't install the 1.9.4 version of the C++ extension. Of course, this problem does not exist in 1.9.5, 1.9.3, 1.8.4 and the newly released 1.9.6 version.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。