[pcre-dev] [Bug 1660] New: pcre_exec delivers wrong offsets

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1660] New: pcre_exec delivers wrong offsets
https://bugs.exim.org/show_bug.cgi?id=1660

            Bug ID: 1660
           Summary: pcre_exec delivers wrong offsets
           Product: PCRE
           Version: 8.37
          Hardware: x86
                OS: All
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: ab@???
                CC: pcre-dev@???


Hi,

i was looking through the existing tickets but couldn't find anything similar.
This bug is reported on the PHP security lists and is found in PHP, however a
simple C snippet is reproducing it as well. In PHP

================= CODE ===================
<?php

$regex = '/(?=ab\K)/';

if(preg_match($regex, $regex, $matches)) {
        var_dump($matches);
}
================= END CODE ==================


Basically it is the pattern (?=ab\K) that produces an issue. pcre_exec returns
1 when this pattern is matched with itself. However when looking for
substrings, the offsets produce negative numbers when used like offset[i+1] -
offset[i]. This leads to crashes when such code is used, outside of PCRE as
well as with a subsequent pcre_get_substring_list call.

Thanks.

--
You are receiving this mail because:
You are on the CC list for the bug.