Dear developers,
I tested pcre using a fuzzing tool and found an undefined behavior.
I downloaded the source code from svn.
svn co svn://vcs.exim.org/pcre2/code/trunk pcre
Attachment are two files to reproduce the undefined behavior.
First build pcre with clang undefined behavior sanitizer, and then compile
pcre_fuzzer.cc using
the command shown below:
clang++ -g -fsanitize=undefined -c -std=c++11 -I inst/include/ pcre_fuzzer.cc
clang++ -g -fsanitize=undefined -Wl,--whole-archive inst/lib/*.a
-Wl,-no-whole-archive pcre_fuzzer.o -o pcre_fuzzer
Then execute pcre_fuzzer, you'll see the error information reported by
ubsan.
./pcre_fuzzer
src/pcre2_compile.c:6665:45: runtime error: left shift of 1 by 31 places
cannot be represented in type 'int'
--
Dingbao Xie
#include <string.h>
#include "pcre2posix.h"
#include <fstream>
#include <vector>
std::vector<uint8_t> FileToVector(const std::string path){
std::ifstream T(path);
return std::vector<uint8_t>((std::istreambuf_iterator<char>(T)),
std::istreambuf_iterator<char>());
}
void LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
if (size < 1) return;
char *str = new char[size+1];
memcpy(str, data, size);
str[size] = 0;
regex_t preg;
if (0 == regcomp(&preg, str, 0)) {
regexec(&preg, str, 0, 0, 0);
regfree(&preg);
}
delete [] str;
}
int main(){
std::vector<uint8_t> test = FileToVector("./ub");
LLVMFuzzerTestOneInput(test.data(), test.size());
return 0;
}
