[pcre-dev] [Bug 1705] New: heap-buffer-overflow in match sr…

Top Page
Delete this message
Author: admin
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1705] New: heap-buffer-overflow in match src/pcre2_match.c:3321:20
https://bugs.exim.org/show_bug.cgi?id=1705

            Bug ID: 1705
           Summary: heap-buffer-overflow in match
                    src/pcre2_match.c:3321:20
           Product: PCRE
           Version: 10.20 (PCRE2)
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: kcc@???
                CC: pcre-dev@???


Found in fresh trunk with libFuzzer+AddressSanitizer

==17410==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60600000ef5f at pc 0x0000005b1953 bp 0x7ffca70bfb30 sp 0x7ffca70bfb28
READ of size 1 at 0x60600000ef5f thread T0
    #0 0x5b1952 in match src/pcre2_match.c:3321:20
    #1 0x55415c in pcre2_match_8 src/pcre2_match.c:6997:8
    #2 0x5da316 in regexec src/pcre2posix.c:291:6


0x60600000ef5f is located 1 bytes to the left of 53-byte region
[0x60600000ef60,0x60600000ef95)

(the buffer passed to match())

To reproduce feed these bytes to the following target function:
0x5c,0x43,0x5b,0x5e,0x28,0x69,0x3f,0xb,0x2a,0x24,0xee,0xad,0xb4,0x24,0x4b,0x5c,0x5e,0x24,0x5d,0x7b,0x30,0x2c,0x7d,0x2f,0x64,0x2a,0xb,0x4d,

extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
  if (size < 1) return 0;
  regex_t preg;
  string str(reinterpret_cast<const char*>(data), size);
  string pat(str);
  if (0 == regcomp(&preg, pat.c_str(), data[size/2] & ~REG_NOSUB)) {
    regmatch_t pmatch[5];
    regexec(&preg, str.c_str(), 5, pmatch, 0);
    regfree(&preg);
  }
  return 0;
}


--
You are receiving this mail because:
You are on the CC list for the bug.