[pcre-dev] [Bug 1236] New: Potential buffer overflow of ovec…

Top Page

Reply to this message
Author: Todd Wease
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1236] New: Potential buffer overflow of ovector in pcre_exec()
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1236
           Summary: Potential buffer overflow of ovector in pcre_exec()
           Product: PCRE
           Version: 8.30
          Platform: x86-64
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: high
         Component: Code
        AssignedTo: ph10@???
        ReportedBy: twease@???
                CC: pcre-dev@???



Looks like in 8.30 there may be the potential for a buffer overflow of the
ovector in pcre_exec. See attached C file. If ovector is on the stack,
sometimes get a segfault. Dynamically allocated, get valgrind errors about
invalid writes:

[twease@twease-computer pcre-segfault]$ gcc pcre-poc.c -o pcre-poc -I
/usr/local/include/ -L /usr/local/lib -lpcre
[twease@twease-computer pcre-segfault]$ valgrind ./pcre-poc
==12586== Memcheck, a memory error detector
==12586== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==12586== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==12586== Command: ./pcre-poc
==12586== 
==12586== Invalid write of size 4
==12586==    at 0x4C3A156: pcre_exec (pcre_exec.c:6893)
==12586==    by 0x40072F: main (in /home/twease/pcre-segfault/pcre-poc)
==12586==  Address 0x4e45058 is 12 bytes after a block of size 12 alloc'd
==12586==    at 0x4A05E46: malloc (vg_replace_malloc.c:195)
==12586==    by 0x4006C5: main (in /home/twease/pcre-segfault/pcre-poc)
==12586== 
==12586== Invalid write of size 4
==12586==    at 0x4C3A163: pcre_exec (pcre_exec.c:6893)
==12586==    by 0x40072F: main (in /home/twease/pcre-segfault/pcre-poc)
==12586==  Address 0x4e4505c is not stack'd, malloc'd or (recently) free'd
==12586== 
==12586== 
==12586== HEAP SUMMARY:
==12586==     in use at exit: 136 bytes in 2 blocks
==12586==   total heap usage: 3 allocs, 1 frees, 196 bytes allocated
==12586== 
==12586== LEAK SUMMARY:
==12586==    definitely lost: 136 bytes in 2 blocks
==12586==    indirectly lost: 0 bytes in 0 blocks
==12586==      possibly lost: 0 bytes in 0 blocks
==12586==    still reachable: 0 bytes in 0 blocks
==12586==         suppressed: 0 bytes in 0 blocks
==12586== Rerun with --leak-check=full to see details of leaked memory
==12586== 
==12586== For counts of detected and suppressed errors, rerun with: -v
==12586== ERROR SUMMARY: 9 errors from 2 contexts (suppressed: 6 from 6)



--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email