[pcre-dev] [Bug 962] New: buffer overflow in pcre_compile.c

Top Page
Delete this message
Author: Michael Santos
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 962] New: buffer overflow in pcre_compile.c
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=962
           Summary: buffer overflow in pcre_compile.c
           Product: PCRE
           Version: 8.01
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
        AssignedTo: ph10@???
        ReportedBy: michael.santos@???
                CC: pcre-dev@???



There is a test in pcre_compile.c to check if the buffer holding the compiled
regexp has been overrun:

2725     if (code > cd->start_workspace + COMPILE_WORK_SIZE) /* Check for
overrun */
2726       {
2727       *errorcodeptr = ERR52;
2728       goto FAILED;
2729       }


The test looks to be incorrect, because when the check is true, the
buffer pointed to by cd->start_workspace (which is COMPILE_WORK_SIZE
bytes) will have already been overrun.

There is a similar check at pcre_compile.c:2774.

So, for example, on Ubuntu 8.04:

$ perl -e 'print "/","("x819, ")"x819, "/"' | ./pcretest
PCRE version 8.01 2010-01-19

re> re> *** stack smashing detected ***:

/media/opt/src/c/pcre-8.01/.libs/lt-pcretest terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f4f138]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7f4f0f0]
/media/opt/src/c/pcre-8.01/.libs/libpcre.so.0[0xb7fd7764]
/media/opt/src/c/pcre-8.01/.libs/libpcre.so.0(pcre_compile2+0x5f8)[0xb7fc9f18]
/media/opt/src/c/pcre-8.01/.libs/libpcre.so.0(pcre_compile+0x41)[0xb7fca541]
/media/opt/src/c/pcre-8.01/.libs/lt-pcretest[0x804aead]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7e78450]
/media/opt/src/c/pcre-8.01/.libs/lt-pcretest[0x8049141]

The attached patch isn't quite right, since the offset returned in the
error will be wrong and the comments in pcre_internal.h suggest that
the lengths may be only minima anyway.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email