------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1236
Summary: Potential buffer overflow of ovector in pcre_exec()
Product: PCRE
Version: 8.30
Platform: x86-64
OS/Version: Linux
Status: NEW
Severity: security
Priority: high
Component: Code
AssignedTo: ph10@???
ReportedBy: twease@???
CC: pcre-dev@???
Looks like in 8.30 there may be the potential for a buffer overflow of the
ovector in pcre_exec. See attached C file. If ovector is on the stack,
sometimes get a segfault. Dynamically allocated, get valgrind errors about
invalid writes:
[twease@twease-computer pcre-segfault]$ gcc pcre-poc.c -o pcre-poc -I
/usr/local/include/ -L /usr/local/lib -lpcre
[twease@twease-computer pcre-segfault]$ valgrind ./pcre-poc
==12586== Memcheck, a memory error detector
==12586== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==12586== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==12586== Command: ./pcre-poc
==12586==
==12586== Invalid write of size 4
==12586== at 0x4C3A156: pcre_exec (pcre_exec.c:6893)
==12586== by 0x40072F: main (in /home/twease/pcre-segfault/pcre-poc)
==12586== Address 0x4e45058 is 12 bytes after a block of size 12 alloc'd
==12586== at 0x4A05E46: malloc (vg_replace_malloc.c:195)
==12586== by 0x4006C5: main (in /home/twease/pcre-segfault/pcre-poc)
==12586==
==12586== Invalid write of size 4
==12586== at 0x4C3A163: pcre_exec (pcre_exec.c:6893)
==12586== by 0x40072F: main (in /home/twease/pcre-segfault/pcre-poc)
==12586== Address 0x4e4505c is not stack'd, malloc'd or (recently) free'd
==12586==
==12586==
==12586== HEAP SUMMARY:
==12586== in use at exit: 136 bytes in 2 blocks
==12586== total heap usage: 3 allocs, 1 frees, 196 bytes allocated
==12586==
==12586== LEAK SUMMARY:
==12586== definitely lost: 136 bytes in 2 blocks
==12586== indirectly lost: 0 bytes in 0 blocks
==12586== possibly lost: 0 bytes in 0 blocks
==12586== still reachable: 0 bytes in 0 blocks
==12586== suppressed: 0 bytes in 0 blocks
==12586== Rerun with --leak-check=full to see details of leaked memory
==12586==
==12586== For counts of detected and suppressed errors, rerun with: -v
==12586== ERROR SUMMARY: 9 errors from 2 contexts (suppressed: 6 from 6)
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email