------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=962
Summary: buffer overflow in pcre_compile.c
Product: PCRE
Version: 8.01
Platform: Other
OS/Version: Linux
Status: NEW
Severity: security
Priority: medium
Component: Code
AssignedTo: ph10@???
ReportedBy: michael.santos@???
CC: pcre-dev@???
There is a test in pcre_compile.c to check if the buffer holding the compiled
regexp has been overrun:
2725 if (code > cd->start_workspace + COMPILE_WORK_SIZE) /* Check for
overrun */
2726 {
2727 *errorcodeptr = ERR52;
2728 goto FAILED;
2729 }
The test looks to be incorrect, because when the check is true, the
buffer pointed to by cd->start_workspace (which is COMPILE_WORK_SIZE
bytes) will have already been overrun.
There is a similar check at pcre_compile.c:2774.
So, for example, on Ubuntu 8.04:
$ perl -e 'print "/","("x819, ")"x819, "/"' | ./pcretest
PCRE version 8.01 2010-01-19
re> re> *** stack smashing detected ***:
/media/opt/src/c/pcre-8.01/.libs/lt-pcretest terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f4f138]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7f4f0f0]
/media/opt/src/c/pcre-8.01/.libs/libpcre.so.0[0xb7fd7764]
/media/opt/src/c/pcre-8.01/.libs/libpcre.so.0(pcre_compile2+0x5f8)[0xb7fc9f18]
/media/opt/src/c/pcre-8.01/.libs/libpcre.so.0(pcre_compile+0x41)[0xb7fca541]
/media/opt/src/c/pcre-8.01/.libs/lt-pcretest[0x804aead]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7e78450]
/media/opt/src/c/pcre-8.01/.libs/lt-pcretest[0x8049141]
The attached patch isn't quite right, since the offset returned in the
error will be wrong and the comments in pcre_internal.h suggest that
the lengths may be only minima anyway.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
