[pcre-dev] [Bug 1236] Potential buffer overflow of ovector i…

Top Page

Reply to this message
Author: Philip Hazel
To: pcre-dev
Subject: [pcre-dev] [Bug 1236] Potential buffer overflow of ovector in pcre_exec()
------- You are receiving this mail because: -------
You are on the CC list for the bug.


Philip Hazel <ph10@???> changed:

           What    |Removed                     |Added
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #2 from Philip Hazel <ph10@???> 2012-04-21 19:13:20 ---
Thank you for the nice clear test case. I have fixed the bug in pcre_exec.c
(just a few characters!) and committed the patched file (SVN 963). I have also
updated the test system and the tests so that this error (if it happens again)
will be picked up by valgrind. The trivial patch that fixes the bug is this:

--- pcre_exec.c.ORIG    2012-04-21 19:10:55.000000000 +0100
+++ pcre_exec.c 2012-04-21 19:11:12.000000000 +0100
@@ -6887,7 +6887,7 @@
     register int *iptr, *iend;
     int resetcount = 2 + re->top_bracket * 2;
-    if (resetcount > offsetcount) resetcount = ocount;
+    if (resetcount > offsetcount) resetcount = offsetcount;
     iptr = offsets + md->end_offset_top;
     iend = offsets + resetcount;
     while (iptr < iend) *iptr++ = -1;

The bug was provoked by having back references that were greater than the
ovector could hold, and an unused highest capturing parens.

Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email