[pcre-dev] [Bug 1503] PCRE Library Stack Overflow Vulnerabil…

Top Page
Delete this message
Author: Philip Hazel
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1503] PCRE Library Stack Overflow Vulnerability
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1503

Philip Hazel <ph10@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED





--- Comment #3 from Philip Hazel <ph10@???> 2014-07-12 19:27:02 ---
Many thanks to Zoltan for his discovery of that misbehaviour. It made finding
the problem much easier. This is very much an "oversight" bug. I have committed
a small patch that fixes it. Here is the patch to pcre_compile.c:

@@ -8267,12 +8267,16 @@

     /* If it was a capturing subpattern, check to see if it contained any
     recursive back references. If so, we must wrap it in atomic brackets.
-    In any event, remove the block from the chain. */
+    Because we are moving code along, we must ensure that any pending
recursive
+    references are updated. In any event, remove the block from the chain. */


     if (capnumber > 0)
       {
       if (cd->open_caps->flag)
         {
+        *code = OP_END;
+        adjust_recurse(start_bracket, 1 + LINK_SIZE,
+          (options & PCRE_UTF8) != 0, cd, cd->hwm);
         memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
           IN_UCHARS(code - start_bracket));
         *start_bracket = OP_ONCE;


The bug was provoked by a group that contained an internal recursive back
reference which also had a repeat count of zero.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email