[pcre-dev] [Bug 1236] Potential buffer overflow of ovector i…

Top Page
Delete this message
Author: Philip Hazel
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1236] Potential buffer overflow of ovector in pcre_exec()
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1236

Philip Hazel <ph10@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED





--- Comment #2 from Philip Hazel <ph10@???> 2012-04-21 19:13:20 ---
Thank you for the nice clear test case. I have fixed the bug in pcre_exec.c
(just a few characters!) and committed the patched file (SVN 963). I have also
updated the test system and the tests so that this error (if it happens again)
will be picked up by valgrind. The trivial patch that fixes the bug is this:


--- pcre_exec.c.ORIG    2012-04-21 19:10:55.000000000 +0100
+++ pcre_exec.c 2012-04-21 19:11:12.000000000 +0100
@@ -6887,7 +6887,7 @@
     {
     register int *iptr, *iend;
     int resetcount = 2 + re->top_bracket * 2;
-    if (resetcount > offsetcount) resetcount = ocount;
+    if (resetcount > offsetcount) resetcount = offsetcount;
     iptr = offsets + md->end_offset_top;
     iend = offsets + resetcount;
     while (iptr < iend) *iptr++ = -1;


The bug was provoked by having back references that were greater than the
ovector could hold, and an unused highest capturing parens.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email