[pcre-dev] [Bug 1724] New: heap-buffer-overflow in compile_b…

Pàgina inicial
Delete this message
Autor: admin
Data:  
A: pcre-dev
Assumpte: [pcre-dev] [Bug 1724] New: heap-buffer-overflow in compile_branch src/pcre2_compile.c:5534
https://bugs.exim.org/show_bug.cgi?id=1724

            Bug ID: 1724
           Summary: heap-buffer-overflow in compile_branch
                    src/pcre2_compile.c:5534
           Product: PCRE
           Version: N/A
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
          Assignee: ph10@???
          Reporter: kcc@???
                CC: pcre-dev@???


Found with libFuzzer+AddressSanitizer on fresh trunk

==36415==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d0000129ab at pc 0x000000528209 bp 0x7ffe18380d10 sp 0x7ffe18380d08
READ of size 1 at 0x61d0000129ab thread T0
    #0 0x528208 in compile_branch src/pcre2_compile.c:5534:14
    #1 0x4fcfb4 in compile_regex src/pcre2_compile.c:7594:8
    #2 0x4f7f0a in pcre2_compile_8 src/pcre2_compile.c:8677:7
    #3 0x4dda1e in LLVMFuzzerTestOneInput


0x61d0000129ab is located 85 bytes to the left of 191-byte region
[0x61d000012a00,0x61d000012abf)
allocated by thread T0 here:
    #0 0x4b234b in malloc 
    #1 0x4f7201 in pcre2_compile_8 src/pcre2_compile.c:8583:3
    #2 0x4dda1e in LLVMFuzzerTestOneInput 



The following target function was used:

extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { 
  if (size < 1) return 0;                                                       
  regex_t preg;                                                                 
  string str(reinterpret_cast<const char*>(data), size);                        
  string pat(str);                                                              
  PCRE2_SIZE erroffset;                                                         
  int errorcode;                                                                


  int options = 0;                                                              
  for (size_t i = 0; i < 30 && i < size; i++)                                   
    options = (options << 1) ^ data[i];                                         
  if (pcre2_code *x = pcre2_compile((const unsigned char *)pat.c_str(),         
                                    PCRE2_ZERO_TERMINATED, options, &errorcode, 
                                    &erroffset, NULL)) {                        
    pcre2_code_free(x);                                                         
  }                                                                             


  return 0;                                                                     
}                                   


Input:
0xf2,0x28,0x25,0x2a,0x29,0x5c,0x45,0x2b,0x5c,0x78

Note: this is using the full pcre2_compile interface instead of the
posix "regcomp" interface that has been fuzzed extensively in the recent
months.
The "options" are extracted from 'data' in a more or less random way.

--
You are receiving this mail because:
You are on the CC list for the bug.