Re: [pcre-dev] JIT access violation

Góra strony
Delete this message
Autor: Zoltán Herczeg
Data:  
Dla: pcre-dev
Temat: Re: [pcre-dev] JIT access violation
Hi,

yes, it helps a bit, since now the length is 69 on my side as well. However, I still cannot see the buffer overflow, since the offset is 64. The value (OP_KET) is also correct.

Could you print the re after the "re = (REAL_PCRE *)(PUBL(malloc))(size);" and common->start and GET(common->start, 1) as well? If the offset is really incorrect, probably common->start-re will not be equal to 56.

Regards,
Zoltan

Ralf Junker <ralfjunker@???> írta:
>On 13.05.2013 12:36, Zoltán Herczeg wrote:>
>
> this is quite interesting. Am I see right, that your pattern only contains two fixed characters (backslash and space)? On a 32 bit Linux system, in 8 bit mode, that is 67 bytes long (56 bytes for header, 11 for pattern) instead of 69. That read access reads byte 63, which is perfect.>
>

The pattern contains, without leading / trailing slahes:>
>

\Q\ \E>
>

The core pattern is one backslash and one space each.>
>
> This is the interesting part:>
> size = sizeof(REAL_PCRE) + (length + cd->names_found * cd->name_entry_size) * sizeof(pcre_uchar);>
> >
> Could you print sizeof(REAL_PCRE), length, and size here?>
>

After this line, the numbers are as follows:>
>

  sizeof(REAL_PCRE) = 56>
  length            = 13>
  size              = 69>

>

Does it matter that I compile with LINK_SIZE=3 ?>
>

Yes, it does. If I recompile with LINK_SIZE=2 (the default), I get these>
numbers:>
>

  sizeof(REAL_PCRE) = 56>
  length            = 11>
  size              = 69>

>

Does this help?>
>

Ralf>