[pcre-dev] [Bug 1546] New: Heap buffer overflow in pcregrep

Author: Michele Spagnuolo
Date:
To: pcre-dev
Subject: [pcre-dev] [Bug 1546] New: Heap buffer overflow in pcregrep

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1546
           Summary: Heap buffer overflow in pcregrep
           Product: PCRE
           Version: 8.36
          Platform: x86-64
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
        AssignedTo: ph10@???
        ReportedBy: mikispag@???
                CC: pcre-dev@???

echo "a" | /tmp/pcre-8.36/pcregrep "((?=(?(?=(?(?=(?(?=())))*))))){2}" -
=================================================================
==29857==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61000000fb94 at pc 0x7faf416f0dc6 bp 0x7fff9c91d3b0 sp 0x7fff9c91d3a8
READ of size 1 at 0x61000000fb94 thread T0
    #0 0x7faf416f0dc5 in match /tmp/pcre-8.36/pcre_exec.c:1410:9
    #1 0x7faf416dfe35 in match /tmp/pcre-8.36/pcre_exec.c:1538:7
    #2 0x7faf416e46de in match /tmp/pcre-8.36/pcre_exec.c:1399:7
    #3 0x7faf416dfe35 in match /tmp/pcre-8.36/pcre_exec.c:1538:7
    #4 0x7faf416ee260 in match /tmp/pcre-8.36/pcre_exec.c:983:9
    #5 0x7faf416dcd49 in pcre_exec /tmp/pcre-8.36/pcre_exec.c:6923:8
    #6 0x4a4580 in match_patterns /tmp/pcre-8.36/pcregrep.c:1449:10
    #7 0x4a13ca in pcregrep /tmp/pcre-8.36/pcregrep.c:1679:11
    #8 0x4a3624 in grep_or_recurse /tmp/pcre-8.36/pcregrep.c:2122:10
    #9 0x49efbf in main /tmp/pcre-8.36/pcregrep.c:3251:13
    #10 0x7faf405b7ec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
    #11 0x4172a6 in _start (/tmp/pcre-8.36/.libs/lt-pcregrep+0x4172a6)

AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/pcre-8.36/pcre_exec.c:1410
match
Shadow bytes around the buggy address:
  0x0c207fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c207fff9f70: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  ASan internal:           fe
==29857==ABORTING

___________

Thanks,
Michele Spagnuolo

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

This message is part of the following thread:
	the complete thread tree sorted by date

	Philip Hazel at