[pcre-dev] [Bug 1699] New: signed integer overflow in src/p…

Αρχική Σελίδα
Delete this message
Συντάκτης: admin
Ημερομηνία:  
Προς: pcre-dev
Αντικείμενο: [pcre-dev] [Bug 1699] New: signed integer overflow in src/pcre2_study.c on "int branchlength"
https://bugs.exim.org/show_bug.cgi?id=1699

            Bug ID: 1699
           Summary: signed integer overflow in src/pcre2_study.c on "int
                    branchlength"
           Product: PCRE
           Version: 10.20 (PCRE2)
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: kcc@???
                CC: pcre-dev@???


Created attachment 835
--> https://bugs.exim.org/attachment.cgi?id=835&action=edit
several reproducers in tar.gz

found with LLVM libFuzzer+ubsan on fresh trunk.
Build with clang -fsanitize=signed-integer-overflow,
feed the attached data into this target function:

extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
  if (size < 1) return 0;
  const char *b = reinterpret_cast<const char*>(data);
  const char *e = reinterpret_cast<const char*>(data) + size;
  char *str = new char[size+1];
  memcpy(str, data, size);
  str[size] = 0;
  regex_t preg;
  if (0 == regcomp(&preg, str, 0)) {
    regmatch_t pmatch[5];
    regexec(&preg, str, 5, pmatch, 0);
    regfree(&preg);
  }
  delete [] str;
  return 0;
}



On different reproducers (all attached) the overflow happens
in different places, but all on the same variable in find_minlength

src/pcre2_study.c:162:18: runtime error: signed integer overflow: 1258933984 +
1254561840 cannot be represented in type 'int'
src/pcre2_study.c:183:18: runtime error: signed integer overflow: 1642076300 +
1642076299 cannot be represented in type 'int'
src/pcre2_study.c:559:18: runtime error: signed integer overflow: 1919010401 +
1919010391 cannot be represented in type 'int'
src/pcre2_study.c:559:25: runtime error: signed integer overflow: 7252 *
4372144 cannot be represented in type 'int'
src/pcre2_study.c:571:20: runtime error: signed integer overflow: 1462063878 +
1919010390 cannot be represented in type 'int'
src/pcre2_study.c:592:24: runtime error: signed integer overflow: 1919010394 +
1919010390 cannot be represented in type 'int'

--
You are receiving this mail because:
You are on the CC list for the bug.