[pcre-dev] [Bug 952] New: pcre-8.01 may access out of static…

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MM 
Philip Hazel at ->
Delete this message
Author: 952
Date:  
To: pcre-dev
New-Topics: [pcre-dev] [Bug 952] pcre-8.01 may access out of static array in 'make test'.
Subject: [pcre-dev] [Bug 952] New: pcre-8.01 may access out of static array in 'make test'.
------- You are receiving this mail because: -------
You are on the CC list for the bug. 

http://bugs.exim.org/show_bug.cgi?id=952
           Summary: pcre-8.01 may access out of static array in 'make test'.
           Product: PCRE
           Version: 8.01
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
        AssignedTo: ph10@???
        ReportedBy: katayama@???
                CC: pcre-dev@???



In 'make test', internal_dfa_exec() accesses coptable[] with index 114, but
whoes array length is 113.
This bug was found using Fail-Safe C.
(https://staff.aist.go.jp/y.oiwa/FailSafeC/index-en.html)

$ uname -a
Linux hardy2-gp01 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686
GNU/Linux
$ gcc -v
Using built-in specs.
Target: i486-linux-gnu
Configured with: ../src/configure -v
--enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr
--enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --enable-nls
--with-gxx-include-dir=/usr/include/c++/4.2 --program-suffix=-4.2
--enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr
--enable-targets=all --enable-checking=release --build=i486-linux-gnu
--host=i486-linux-gnu --target=i486-linux-gnu
Thread model: posix
gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)
$ CFLAGS=-g ./configure --disable-shared && make
(snip)
$ gdb pcretest
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) b pcre_dfa_exec.c:674
Breakpoint 1 at 0x8059dc8: file pcre_dfa_exec.c, line 674.
(gdb) run -q -dfa
Starting program: /home/katayama/work/pcre-8.01/pcretest -q -dfa
re> /(a|(bc)){0,0}?xyz/
data> xyz 

Breakpoint 1, internal_dfa_exec (md=0xbff962f4, this_start_code=0x8094af0 "^",
current_subject=0x80886ad "xyz", start_offset=0,
    offsets=0x8094a10, offsetcount=44, workspace=0xbff96508, wscount=124,
ims=0, rlevel=1, recursing=0) at pcre_dfa_exec.c:674
674         if (coptable[codevalue] > 0)
(gdb) p codevalue
$1 = 114
(gdb) p sizeof(coptable) / sizeof(coptable[0])
$2 = 113
(gdb)



--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

This message was posted to the following mailing lists:
Pcre-dev
Mailing List Info | Nearby Messages		<-Re: [pcre-dev] Old bug with (*DEFINE) again?[pcre-dev] [Bug 953] New: Visual C++ warning in pcre_globals.c->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)