https://bugs.exim.org/show_bug.cgi?id=1660
Bug ID: 1660
Summary: pcre_exec delivers wrong offsets
Product: PCRE
Version: 8.37
Hardware: x86
OS: All
Status: NEW
Severity: security
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: ab@???
CC: pcre-dev@???
Hi,
i was looking through the existing tickets but couldn't find anything similar.
This bug is reported on the PHP security lists and is found in PHP, however a
simple C snippet is reproducing it as well. In PHP
================= CODE ===================
<?php
$regex = '/(?=ab\K)/';
if(preg_match($regex, $regex, $matches)) {
var_dump($matches);
}
================= END CODE ==================
Basically it is the pattern (?=ab\K) that produces an issue. pcre_exec returns
1 when this pattern is matched with itself. However when looking for
substrings, the offsets produce negative numbers when used like offset[i+1] -
offset[i]. This leads to crashes when such code is used, outside of PCRE as
well as with a subsequent pcre_get_substring_list call.
Thanks.
--
You are receiving this mail because:
You are on the CC list for the bug.
