https://bugs.exim.org/show_bug.cgi?id=1699
Bug ID: 1699
Summary: signed integer overflow in src/pcre2_study.c on "int
branchlength"
Product: PCRE
Version: 10.20 (PCRE2)
Hardware: x86-64
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: Code
Assignee: ph10@???
Reporter: kcc@???
CC: pcre-dev@???
Created attachment 835
-->
https://bugs.exim.org/attachment.cgi?id=835&action=edit
several reproducers in tar.gz
found with LLVM libFuzzer+ubsan on fresh trunk.
Build with clang -fsanitize=signed-integer-overflow,
feed the attached data into this target function:
extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
if (size < 1) return 0;
const char *b = reinterpret_cast<const char*>(data);
const char *e = reinterpret_cast<const char*>(data) + size;
char *str = new char[size+1];
memcpy(str, data, size);
str[size] = 0;
regex_t preg;
if (0 == regcomp(&preg, str, 0)) {
regmatch_t pmatch[5];
regexec(&preg, str, 5, pmatch, 0);
regfree(&preg);
}
delete [] str;
return 0;
}
On different reproducers (all attached) the overflow happens
in different places, but all on the same variable in find_minlength
src/pcre2_study.c:162:18: runtime error: signed integer overflow: 1258933984 +
1254561840 cannot be represented in type 'int'
src/pcre2_study.c:183:18: runtime error: signed integer overflow: 1642076300 +
1642076299 cannot be represented in type 'int'
src/pcre2_study.c:559:18: runtime error: signed integer overflow: 1919010401 +
1919010391 cannot be represented in type 'int'
src/pcre2_study.c:559:25: runtime error: signed integer overflow: 7252 *
4372144 cannot be represented in type 'int'
src/pcre2_study.c:571:20: runtime error: signed integer overflow: 1462063878 +
1919010390 cannot be represented in type 'int'
src/pcre2_study.c:592:24: runtime error: signed integer overflow: 1919010394 +
1919010390 cannot be represented in type 'int'
--
You are receiving this mail because:
You are on the CC list for the bug.
